DirX Directory Attributes

This chapter describes the DirX Directory attributes defined in the DirX Directory default DSA schema. (See the chapter titled DirX Directory Default DSA Schema in the DirX Directory Administration Reference for details.) For each attribute it provides:

  • A short description.

  • The abbreviation that can be used in dirxadm and in dirxcp for DAP binds instead of object identifiers.

  • The LDAP name(s) that can be used in dirxcp for LDAP binds instead of object identifiers.

  • The syntax for DAP protocol.

  • The syntax for LDAPv3 protocol.
    Note: When this subsection is omitted, the LDAPv3 syntax is UTF-8 string.

  • An example for DAP binds.

  • An example for LDAPv3 binds.

The LDAP name(s), the syntax, and an example for LDAPv3 binds are only provided for attributes that can be administered with the LDAP protocol. Only X.500 user attributes can be administered via LDAP.

For a detailed description of the attribute syntaxes, see the chapters titled DirX Directory String Representation for DAP Binds and DirX Directory String Representation for LDAP Binds.

X.500 User Application Attributes

User application attributes are attributes representing user information.

Naming Attributes

The following attributes are used in DirX Directory to identify the entries.Note that naming attributes may also be used as normal attributes for an object.

Common Name

The Common Name attribute specifies a name by which the object is commonly known and conforms to the naming conventions of the country or culture with which it is associated.

An attribute value for Common Name is chosen either by the person or organization it describes or by the organization responsible for the object it describes for devices and application entities.

Abbreviation

CN

LDAP Name(s)

cn, commonName

Syntax (DAP)

Directory-String {64}

Example (DAP)
{CN=John Smith}
{CN=High Speed Modem}
CN=Mayer
Example (LDAP)
{cn=John Smith}
{cn=High Speed Modem}
commonName=Mayer

Country Name

The Country Name attribute specifies a country. It identifies the country in which the named object is located or with which it is associated.

It is not checked whether the specified value is contained in the list of valid country codes.

Abbreviation

C

LDAP Name(s)

c, countryName

Syntax (DAP)

Country-Name (Only ISO/IEC IS3166 codes are valid values, see Appendix Country Codes.)

Syntax (LDAP)

Printable String (Size (2)) (LDAP style)

Example (DAP)
C=DE
Example (LDAP)
c=DE
countryName=UK

Locality Name

The Locality Name attribute specifies a locality (for example, a city). It identifies a geographical area or locality in which the named object is located or with which it is associated.

Abbreviation

L

LDAP Name(s)

l (character: lower l), localityName

Syntax (DAP)

Directory-String {128}

Example (DAP)
L=Munich
Example (LDAP)
l=Munich
localityName=Berlin

Organization Name

The Organization Name attribute specifies an organization.

An attribute value for Organization Name is chosen by the organization.

Abbreviation

O

LDAP Name(s)

o, organizationName

Syntax (DAP)

Directory-String {64}

Example (DAP)
{O=German Telecom}
O=My-Company
Example (LDAP)
{o=German Telecom}
organizationName=My-Company

Organizational Unit Name

The Organizational Unit Name attribute specifies an organizational unit.

The designated organizational unit is a part of an organization designated by an Organization Name attribute. An Organizational Unit Name attribute must be associated with an Organization Name attribute.

An attribute value for Organizational Unit Name is chosen by the organization of which it is a part.

Abbreviation

OU

LDAP Name(s)

ou, organizationalUnitName

Syntax (DAP)

Directory-String {64}

Example (DAP)
{OU=Marketing Division}
Example (LDAP)
{ou=Marketing Division}
organizationalUnitName=Development

State or Province Name

The State or Province Name attribute specifies a state or province. It identifies the geographical subdivision in which the named object is located or with which it is associated.

Abbreviation

SPN

LDAP Name(s)

st, stateOrProvinceName

Syntax (DAP)

Directory-String {128}

Example (DAP)
SPN=Florida
Example (LDAP)
st=Florida
{stateOrProvinceName=Freistaat Bayern}

Street Address

The Street Address attribute specifies a site for the local distribution and physical delivery in a postal address (that is, the street name, place, avenue, and the house number).

Abbreviation

STA

LDAP Name(s)

street, streetAddress

Syntax (DAP)

Directory-String {128}

Example (DAP)
{STA=Otto-Hahn-Ring 6}
Example (LDAP)
{street=Otto-Hahn-Ring 6}

Names in General

DMD Name

The DMD Name attribute specifies a Directory Management Domain (DMD). When used as a component of a directory name, it identifies a DMD which manages the named object.

Abbreviation

DMD

LDAP Name(s)

dmdName

Syntax (DAP)

Directory-String {32768}

Example (DAP)
DMD=dmd-1
Example (LDAP)
dmdName=dmd-1

DN Qualifier

The DN Qualifier attribute specifies disambiguating information to add to the relative distinguished name of an entry. It is used for entries held in multiple DSAs. Its value is the same in a given DSA and all the entries to which this information has been added.

Abbreviation

DNQ

LDAP Name(s)

dnQualifier

Syntax (DAP)

Printable-String

Syntax (LDAP)

Printable-String (LDAP style)

Example (DAP)
{DNQ=the older}
{DNQ=of My-Company-DSA}
Example (LDAP)
{dnQualifier=the older}

Generation Qualifier

The Generation Qualifier attribute contains a string, which is used to provide generation information.

Abbreviation

GQ

LDAP Name(s)

generationQualifier

Syntax (DAP)

Directory-String {32768}

Example (DAP)
GQ=sen.
GQ=II
Example (LDAP)
generationQualifier=sen.
generationQualifier=II

Given Name

The Given Name attribute specifies the first name of an individual.

Abbreviation

GN

LDAP Name(s)

gn, givenName

Syntax (DAP)

Directory-String {32768}

Example (DAP)
GN=John
Example (LDAP)
givenName=John

Initials

The Initials attribute specifies the initials of some or all of an individual’s name, but not the surname(s).

Abbreviation

I

LDAP Name(s)

initials

Syntax (DAP)

Directory-String {32768}

Example (DAP)
I=F.P.
Example (LDAP)
initials=F.P.

Name

The Name attribute is the attribute supertype from which string attribute types typically used for naming are formed.

Abbreviation

N

LDAP Name(s)

name

Syntax (DAP)

Directory-String {32768}

Example (DAP)
N=Miller
Example (LDAP)
name=Miller

Organization Identifier

The Organization Identifier attribute specifies an identification of an organization different from the organization name.

Abbreviation

ORGID

LDAP Name(s)

organizationIdentifier

Syntax (DAP)

Directory-String

Example (DAP)
ORGID=org-123
Example (LDAP)
organizationIdentifier=org-123

Pseudonym

The Pseudonym attribute a pseudonym for an object. It is used to name an object and make it clear that its name is a pseudonym.

Abbreviation

PSNYM

LDAP Name(s)

pseudonym

Syntax (DAP)

Directory-String {32768}

Example (DAP)
PSNYM=xyz
Example (LDAP)
pseudonym=xyz

Serial Number

The Serial Number attribute specifies an identifier, the serial number of a device.

Abbreviation

SER

LDAP Name(s)

serialNumber, ser

Syntax (DAP)

Printable-String (Size(1..64))

Syntax (LDAP)

Printable-String (Size(1..64)) (LDAP style)

Example (DAP)
SER=A12345
Example (LDAP)
serialNumber=A12345

Surname

The Surname attribute specifies the surname of an individual.

Abbreviation

SN

LDAP Name(s)

sn, surname

Syntax (DAP)

Directory-String {64}

Example (DAP)
SN=Smith
Example (LDAP)
sn=Smith
{surname=Meier-Luedenscheidt}

Unique Identifier

The Unique Identifier attribute specifies an identifier used to distinguish between object references when a distinguished name is reused. The attribute value is represented by a bit string.

Abbreviation

UID

LDAP Name(s)

x500UniqueIdentifier, uniqueIdentifier

Syntax (DAP)

Unique-Identifier

Syntax (LDAP)

Bit String

Example (DAP)
UID=0011010100
Example (LDAP)
uniqueIdentifier='0011010100'B

Attributes for Authentication

Authority Revocation List

The Authority Revocation List attribute identifies Certification Authority (CA) certificates that have been revoked, typically because they have been compromised, or are otherwise no longer valid. The attribute is used solely by Certification Authorities. (See Certificate-List syntax for details.)

Abbreviation

ARL

LDAP Name(s)

authorityRevocationList

Syntax (DAP)

Certificate-List

Syntax (LDAP)

Specify the attribute value in binary format. (See section Binary Attribute Values of chapter DirX Directory String Representations for LDAP Binds for details.)

Example (DAP)
ARL={CLU={VER=V2,
 		 SIG={AL=1.3.14.3.2.3},
    	  	IS={/O=My-Company/OU=Corporate CA },
    	  	TU=9612011200Z,
 		 NU=9612011300Z,
	  	 RC={SN=25,
  		     RD=9603011500Z};
	    	    {SN=75,
    	     RD=9608231005Z}},
 	   ALG={AL=1.3.14.3.2.3},
      EV=1011010101101101011000}
Example (LDAP)
{authorityRevocationList;binary=MIIBaTCB0wIBATANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJERTEMMAoGA1UEChMDUFFSMRAwDgYDVQQLEwdFbnRydXN0Fw05ODA5MDIxMjIzMThaFw05ODA5MDMxMzEzMzJaoHIwcDBBBgNVHRwBAf8ENzA1oDOgMaQvMC0xCzAJBgNVBAYTAkRFMQwwCgYDVQQKEwNQUVIxEDAOBgNVBAsTB0VudHJ1c3QwCgYDVR0UBAMCAQ4wHwYDVR0jBBgwFoAUEy7QRSaZ8D9VFsYlK1V/XQsXJZ0wDQYJKoZIhvcNAQEFBQADgYEAki/dBwJ+v9qU1+rJA6Pkvi5BQgAfpGPCgoq5jWdkLw/I/GbPhxZAMEYDvvDPkUTh4MwkfL2HFpwwKKZVNJ25kfWOzdSEMtUuFEym4ofRi8B24r9PoivzGHvoZFRhtvG/jBEnDDm5f0BsoDvLk7Z+DOi/kNotrW4cZdDAaYg0irE=}

CA-Certificate

The CA-Certificate attribute specifies the public key of the user´s certification authority (CA). (See Certificate syntax for details.)

Abbreviation

CAC

LDAP Name(s)

cACertificate

Syntax (DAP)

Certificate

Syntax (LDAP)

Specify the attribute value in binary format. (See section Binary Attribute Values of chapter DirX Directory String Representations for LDAP Binds for details.)

Example (DAP)
CAC={CU={VER=V3,
         SN=10,
         SIG={AL=2.5.8.1.1,
	        ALP=1024
             },
         IS={/O=my-company/OU=asw},
         VAL={VNA=9412011200Z,
	        VNB=9412011500Z
             },
         SUB={/O=my-company/OU=asw/CN=wythenshawe},
         SUBK={AL={AL=2.5.8.1.1,
	             ALP=1024
               	  },
PK=001100010011001000110011110010011000001100010000001
   	      },
	 IUID=00101010110100101001,
    	 SUID=00111010110100111001
        },
     ALG={AL=2.5.8.1.1,
 	    ALP=1024
	 },
     EV=1011010101101101011000}

Certificate Revocation List

The Certificate Revocation List attribute identifies user certificates that have been revoked, typically because they have been compromised or are otherwise no longer valid. The attribute is used solely by Certification Authorities. (See Certificate-List syntax for details.)

Abbreviation

CRL

LDAP Name(s)

certificateRevocationList

Syntax (DAP)

Certificate-List

Syntax (LDAP)

Specify the attribute value in binary format. (See section Binary Attribute Values of chapter DirX Directory String Representations for LDAP Binds for details.)

Example (DAP)
CRL={CLU={VER=V2,
 		   SIG={AL=1.3.14.3.2.3},
    	  	   IS={/O=My-Company/OU=Corporate CA },
    	  	   TU=9612011200Z,
 		   NU=9612011300Z,
	  	   RC={SN=25,
  		           RD=9603011500Z};
	    	          {SN=75,
    		           RD=9608231005Z}}
 	   ALG={AL=1.3.14.3.2.3},
         EV=1011010101101101011000}
Example (LDAP)
{certificateRevocationList;binary=MIIBaTCB0wIBATANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJERTEMMAoGA1UEChMDUFFSMRAwDgYDVQQLEwdFbnRydXN0Fw05ODA5MDIxMjIzMThaFw05ODA5MDMxMzEzMzJaoHIwcDBBBgNVHRwBAf8ENzA1oDOgMaQvMC0xCzAJBgNVBAYTAkRFMQwwCgYDVQQKEwNQUVIxEDAOBgNVBAsTB0VudHJ1c3QwCgYDVR0UBAMCAQ4wHwYDVR0jBBgwFoAUEy7QRSaZ8D9VFsYlK1V/XQsXJZ0wDQYJKoZIhvcNAQEFBQADgYEAki/dBwJ+v9qU1+rJA6Pkvi5BQgAfpGPCgoq5jWdkLw/I/GbPhxZAMEYDvvDPkUTh4MwkfL2HFpwwKKZVNJ25kfWOzdSEMtUuFEym4ofRi8B24r9PoivzGHvoZFRhtvG/jBEnDDm5f0BsoDvLk7Z+DOi/kNotrW4cZdDAaYg0irE=}

Cross-Certificate-Pair

The Cross-Certificate-Pair attribute specifies cross-certificate pairs of a certification authority. (See Certificate-Pair syntax for details.)

Abbreviation

CCP

LDAP Name(s)

crossCertificatePair

Syntax (DAP)

Certificate-Pair

Syntax (LDAP)

Specify the attribute value in binary format. (See section Binary Attribute Values of chapter DirX Directory String Representations for LDAP Binds for details.)

Example (DAP)
CCP={F={CU={VER=V3,
            SN=10,
            SIG={AL=2.5.8.1.1,
                 ALP=1024
                },
            IS={/O=my-company/OU=asw},
            VAL={VNA=9412011200Z,
	           VNB=9412011500Z
                },
            SUB={/C=ie/O=sse},
            SUBK={AL={AL=2.5.8.1.1,
	                ALP=512
		     },
                  PK=0011000100110010001100111100100110000011000100
   	         },
    	    IUID=00101010110100101001,
    	    SUID=00111010110100111001
           },
        ALG={AL=2.5.8.1.1,
	       ALP=1024
	    },
        EV=1011010101101101011000
       },
     R={CU={VER=V3,
            SN=10,
            SIG={AL=2.5.8.1.1,
	           ALP=1024
                },
            IS={/C=ie/O=sse},
            VAL={VNA=9412011200Z,
	           VNB=9412011500Z
                },
            SUB={/O=my-company/OU=asw},
            SUBK={AL={AL=2.5.8.1.1,
	                ALP=512
		     },
                  PK=00110001001100100011001111001001100000110001000
   	         },
    	    IUID=10101010110100101001,
    	    SUID=00111010110000101001
           },
        ALG={AL=2.5.8.1.1,
	       ALP=1024
	    },
        EV=1011010101101101011000
       }
    }

Delta Revocation List

The Delta Revocation List attribute identifies certificates that have been recently revoked, typically because they have been compromised, or are otherwise no longer valid. The attribute is used solely by Certification Authorities. (See Certificate-List syntax for details.)

Abbreviation

DRL

LDAP Name(s)

deltaRevocationList

Syntax (DAP)

Certificate-List

Syntax (LDAP)

Specify the attribute value in binary format. (See section Binary Attribute Values of chapter DirX Directory String Representations for LDAP Binds for details.)

Example (DAP)
DRL={CLU={VER=V2,
 		   SIG={AL=1.3.14.3.2.3},
    	  	   IS={/O=My-Company/OU=Corporate CA },
    	  	   TU=9612011200Z,
 		   NU=9612011300Z,
	  	   RC={SN=25,
  		           RD=9603011500Z};
	    	          {SN=75,
    		           RD=9608231005Z}}
 	   ALG={AL=1.3.14.3.2.3},
         EV=1011010101101101011000}
Example (LDAP)
{deltaRevocationList;binary=MIIBaTCB0wIBATANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJERTEMMAoGA1UEChMDUFFSMRAwDgYDVQQLEwdFbnRydXN0Fw05ODA5MDIxMjIzMThaFw05ODA5MDMxMzEzMzJaoHIwcDBBBgNVHRwBAf8ENzA1oDOgMaQvMC0xCzAJBgNVBAYTAkRFMQwwCgYDVQQKEwNQUVIxEDAOBgNVBAsTB0VudHJ1c3QwCgYDVR0UBAMCAQ4wHwYDVR0jBBgwFoAUEy7QRSaZ8D9VFsYlK1V/XQsXJZ0wDQYJKoZIhvcNAQEFBQADgYEAki/dBwJ+v9qU1+rJA6Pkvi5BQgAfpGPCgoq5jWdkLw/I/GbPhxZAMEYDvvDPkUTh4MwkfL2HFpwwKKZVNJ25kfWOzdSEMtUuFEym4ofRi8B24r9PoivzGHvoZFRhtvG/jBEnDDm5f0BsoDvLk7Z+DOi/kNotrW4cZdDAaYg0irE=}

NTS Security Identifier

The NTS Security Identifier attribute specifies the NT account name of the user. If an authenticated directory bind based on NT security should be performed, the user´s entry must contain this attribute. (See dse bind and obj bind in the DirX Directory Administration Reference for details.)

Abbreviation

NTUSER

LDAP Name(s)

ntSecurityIdentifier

Syntax (DAP)

Octet String

Example (DAP)
NTUSER=nt-volp
Example (LDAP)
ntSecurityIdentifier=nt-volp

User Certificate

The User Certificate attribute specifies the public key of a user. (See Certificate syntax for details.) A user may obtain one or more certificates from one or more Certification Authorities. The object class must have the value Strong-Authenticated-User (SAU).

Abbreviation

UC

LDAP Name(s)

userCertificate, uc

Syntax (DAP)

Certificate

Syntax (LDAP)

Specify the attribute value in binary format. (See section Binary Attribute Values of chapter DirX Directory String Representations for LDAP Binds for details.)

Example (DAP)
UC={CU={VER=V3,
         SN=10,
         SIG={AL=2.5.8.1.1,
	        ALP=1024
             },
         IS={/O=my-company/OU=asw},
         VAL={VNA=9412011200Z,
	        VNB=9412011500Z
             },
         SUB={/O=my-company/OU=asw/CN=wythenshawe},
         SUBK={AL={AL=2.5.8.1.1,
	             ALP=1024
               	  },
PK=001100010011001000110011110010011000001100010000001
   	      },
    	 IUID=0000110101001011010100,
    	 SUID=1011010101101101011000
        },
     ALG={AL=2.5.8.1.1,
 	    ALP=1024
	 },
     EV=1111010101101101011000}

User Password

The User Password attribute specifies the password of an object. It is a single-valued attribute. If the password is saved encrypted in the database it is not possible to perform a simple protected bind with dirxadm and dirxcp (DAP-bind).

Password Encryption

If the DirX Directory DSA password storage scheme is configured as “plain”, the DSA stores the user password in the DBAM database as a symmetrically encoded value. In this mode, if an LDIF content file is written or a DAP search result is constructed, the password value is passed to the output stream as the decoded clear text password.

The DirX Directory DSA is configurable to support the password storage schemes "SHA" or "Salted SHA". Passwords that are formed according to one of these schemes have been one-way-encrypted or hashed with a secure hash algorithm and - to create a readable string - base64 encoded. If the salted scheme is in force, the hashed user passwords are concatenated with an arbitrary salt-value before the base64 encoding occurs. The created value string can be stored in the Octet String attribute value of the User Password attribute exactly as the clear text string.

The variant of the secure hash algorithm to be applied can be configured. The default algorithm for hashing user passwords is SHA-1, furthermore the DSA supports the algorithms SHA-224, SHA-256, SHA-384 and SHA-512.

Multiple levels of support of the SHA password storage schemes can be configured. If any of the SHA support levels is turned on, the DirX Directory DSA is able to operate with passwords that have already been hashed outside the server. Additionally the support level defines to what extent the DirX Directory DSA actively performs the clear text-to-hash value conversion of the User Password attribute value.

  • Support level 1 (Basic Level) - This minimal level of support describes the fact that the DSA is able to operate with user passwords regardless of the format of the stored values. That is, if simple bind credentials are verified by the DSA, it considers the format of the entry’s user password and conditionally applies the hash before the actual password matching is performed. When user password values are exported (for example, an LDIF content file is written or a DAP search result is constructed) the value is passed to the output stream as it is stored, regardless of whether it is clear text or hashed format.

  • Support level 2 (Read Level) - This level introduces additionally to level 1 the feature that user password values are never exported in clear text format. Whenever the DSA retrieves a password from its database, it checks whether it is a clear text string or a hashed format. If the password is clear text, the hash algorithm is applied before the value is passed to the outgoing protocol. Therefore configuring support Level 2 makes passwords appear in LDIF files only in the hashed format. This also applies to the generation of LDIF change files, even if in this case the source of the information is an incoming request rather than the database.

  • Support level 3 (Read Write Level) - This level introduces additionally to level 2 the feature that user password values are checked during the process of import to the DSA. If the passwords come in as clear text strings, they are automatically converted to the hashed format before they are stored in the DSA’s database.

The generation of hashed user passwords follows the specification given in the internet-draft “Lightweight Directory Access Protocol (LDAP): Hashed Attribute values for 'userPassword' draft-stroeder-hashed-userpassword-values-01”.

Note that even level 3 does not prevent userPassword values from continuing to exist as clear text strings in the DSA’s database, if they were loaded before the password encryption was enabled.

Note also that even if level 2 or higher is activated, a DAP operation can return a non-hashed password if the entry information has been collected from other DSAs via DSP and these other DSAs are governed by another password policy.

Note that the use of hash algorithms distinct from SHA-1 is not recommended unless all DSAs participating in a floating master system are version DirX Directory Directory 8.3 or newer.

The DSA cannot compare two userPassword values that are both provided in a salted hash format; that is, all operations that compare two userPassword values, for example, a dirxcp obj compare operation, return an Unwilling to Perform error, if not one is a clear text user password.

The format of the password also affects the password syntax checking specified in the Password Policy subentry. If hashed passwords are used in add or modify operations, the server is unable to perform password quality checks. (See Password Check Syntax of section titled Attributes of the Password Policy Subentry for details.)

The DirX Directory DSA process generates an event log during the initialization process that informs the administrator of the current password storage scheme support level in force.

In principle, hashed passwords are not encrypted: The SHA algorithms are one-way functions resulting in a message digest. Once a user password value is converted into a hashed format, its clear text value cannot be restored.

If user password values are shadowed to directory servers that do not support the same password storage scheme or hash algorithm, these shadow directory servers are not able to use the password values in the context of the directory bind operation. Such a situation may result in the inability of all directory users to log into the directory system. This is particularly the case, if a DirX Directory Directory 8.3 supplier DSA replicates passwords that were hashed with one of the SHA2 family of algorithms to an older consumer DSA.

Additionally, if the DSA stores a password in the hashed (SHA or SSHA) format, it cannot authenticate the user if the user provides the simple-protected choice of simple credentials.

User password values that are SHA-1 hashed start with the tag {SHA} followed by the base64 encoding of the SHA-1 cipher of the user password value.For example (in LDIF)
userPassword: dirx is converted to
userPassword: {SHA}qxghIHOkekweiJieHndsahdsjuew4n432==

User password values that are SSHA-1 hashed start with the tag {SSHA} followed by the base64 encoding of the SHA-1 cipher of the user password value.For example (in LDIF)
userPassword: dirx is converted to
userPassword: {SSHA}VJAdQg6179lrPKgxAi/6vHkNUVc2OTkxM2ExYg==

User password values that are hashed with one of the SHA2 family of algorithms start with the tag {SHA224}, {SHA256}, {SHA384} or {SHA512}.For the salted hashed scheme the tags are {SSHA224}, {SSHA256}, {SSHA384} or {SSHA512}.

To enable password encryption, you must specify appropriate values for the Password Storage Scheme, Password Storage Scheme Algorithm and Password Storage Scheme Level attributes of the Password Policy subentry.(See section Attributes of the Password Policy Subentry for details.) Note that the Password Storage Scheme, Algorithm and Level are controlled by the respective attributes of the global Password Policy subentry /cn=GlobalPasswordPolicy.If subtree-specific Password Policy subentries contain Password Storage Scheme, Algorithm or Level attributes the DSA ignores these attributes; that is the global password storage scheme controls the storage of all user passwords stored in a DSA.

The following table summarizes the effect of the different settings for Password Storage Scheme and Password Storage Scheme Level (=Support level) on the storage and presented output of the User Password attribute.

Storage Scheme Storage Scheme Level Value added as …
(e.g.: from LDIF file or ADD operation)		 Value stored in DB as … Output as … (LDIF file or search result)

Plain

Ignored

Clear text

Symmetrical encoded

Clear text

Plain

Ignored

SHA

SHA

SHA

Plain

Ignored

SSHA

SSHA

SSHA

SHA

1

Clear text

Symmetrical encoded

Clear text

SHA

1

SHA

SHA

SHA

SHA

1

SSHA

SSHA

SSHA

SHA

2

Clear text

Symmetrical encoded

SHA

SHA

2

SHA

SHA

SHA

SHA

2

SSHA

SSHA

SSHA

SHA

3

Clear text

SHA

SHA

SHA

3

SHA

SHA

SHA

SHA

3

SSHA

SSHA

SSHA

SSHA

1

Clear text

Symmetrical encoded

Clear text

SSHA

1

SHA

SHA

SHA

SSHA

1

SSHA

SSHA

SSHA

SSHA

2

Clear text

Symmetrical encoded

SSHA (Note1)

SSHA

2

SHA

SHA

SHA

SSHA

2

SSHA

SSHA

SSHA

SSHA

3

Clear text

SSHA

SSHA

SSHA

3

SHA

SHA

SHA

SSHA

3

SSHA

SSHA

SSHA

Note 1: The output value will differ on each subsequent read in this combination.

Abbreviation

UP

LDAP Name(s)

userPassword

Syntax (DAP)

Octet String (Size(1..128))

Example (DAP)
UP=pw4712
Example (LDAP)
userPassword=pw4712

DirX TOTP Secret

The DirX TOTP Secret attribute specifies the 32-byte secret key associated with a time-based one-time password (TOTP) used in a DirX Directory TOTP two-factor (2FA) object bind operation. It is a single valued attribute.

The DirX DSA generates the TOTP secret when a DirX Directory administrator adds the object class dirxTOTPUser to the object. Its value is chosen at random by a cryptographically-secure pseudorandom number generator. The DSA stores the secret in the database encrypted with the AES-256 algorithm. The encrypted value is decrypted into the following otpauth URI format when returned in a DAP or LDAP read operation or specified in an LDIF file:

dirxTOTPSecret=otpauth://totp/*User?issuer=issuer_name&secret=*secret

where:

  • otpauth indicates the scheme used by authenticator apps to generate one-time passwords (OTPs) see RFC draft-linuxgemini-otpauth-uri-01.

  • totp indicates the type of OTP being generated; in this case, time-based one-time passwords (TOTPs).

  • The User parameter identifies the object associated with the TOTP secret and is the naming attribute of the object with the default value 2FA User.

  • The issuer_name parameter identifies the provider or service associated with the TOTP secret and is either the value held by the DirX DSA environment variable DIRX_DSA_TOTP_ISSUER or the value DirX if the environment variable is unset.

  • The secret parameter is the actual secret in Base32 encoding.

This format is recognized by most TOTP authenticator apps and can be copied/pasted into these apps.

Abbreviation

TOTPS

LDAP Name(s)

dirxTOTPSecret

Syntax (DAP)

Octet String

Example (DAP)
TOTPS=++\++x6f++\++x74++\++x70++\++x61++\++x75++\++x74++\++x68++\++x3a++\++x2f++\++x2f++\++x74++\++x6f++\++x74++\++x70++\++x2f++\++x55++\++x73++\++x65++\++x72++\++x3f++\++x69++\++x73++\++x73++\++x75++\++x65++\++x72++\++x3d++\++x44++\++x69++\++x72++\++x58++\++x26++\++x73++\++x65++\++x63++\++x72++\++x65++\++x74++\++x3d++\++x4d++\++x47++\++x48++\++x42++\++x46++\++x54++\++x54++\++x4d++\++x4f++\++x57++\++x54++\++x53++\++x36++\++x46++\++x45++\++x4b++\++x4a++\++x35++\++x50++\++x44++\++x58++\++x52++\++x58++\++x4d++\++x41++\++x4d++\++x52++\++x4c++\++x32++\++x57++\++x4a++\++x58++\++x41++\++x33++\++x53++\++x42++\++x32++\++x43++\++x4a++\++x4f++\++x50++\++x47++\++x51++\++x41++\++x53++\++x44++\++x36++\++x47++\++x4f++\++x34++\++x52++\++x51++\++x3d++\++x3d++\++x3d++\++x3d
Example (LDAP)
dirxTOTPSecret=otpauth://totp/User?issuer=DirX&secret=MGHBFTTMOWTS6FEKJ5PDXRXMAMRL2WJXA3SB2CJOPGQASD6GO4RQ====

Explanatory Attributes

Business Category

The Business Category attribute specifies information concerning the occupation of some common objects; for example, people.

Abbreviation

BC

LDAP Name(s)

businessCategory

Syntax (DAP)

Directory-String {128}

Example (DAP)
{BC=Software Engineering}
Example (LDAP)
{businessCategory=Software Engineering}

Description

The Description attribute specifies information describing the associated object.

Abbreviation

DSC

LDAP Name(s)

description, dsc

Syntax (DAP)

Directory-String {1024}

Example (DAP)
{DSC=Feel free to phone he is very helpful}
Example (LDAP)
{description=Feel free to phone he is very helpful}

Postal Addressing

Physical Delivery Office Name

The Physical Delivery Office Name attribute specifies the name of the city, village, etc. where a physical delivery office is situated.

Abbreviation

PDO

LDAP Name(s)

physicalDeliveryOfficeName

Syntax (DAP)

Directory-String {128}

Example (DAP)
PDO=Munich-Trudering
Example (LDAP)
physicalDeliveryOfficeName=Munich-Trudering

Postal Address

The Postal Address attribute specifies the address information required for physical delivery of postal messages by the postal authority to the named object. (See Postal-Address syntax for details.)

Abbreviation

PA

LDAP Name(s)

postalAddress, pa

Syntax (DAP)

Postal-Address

Syntax (LDAP)

Postal-Address (LDAP style)

Example (DAP)
{PA={PA1=Frank Mayer,PA2=Otto-Hahn-Ring 6,PA3=D-81730 Munich}}
Example (LDAP)
{postalAddress=Frank Mayer$Otto-Hahn-Ring 6$D-81730 Munich$Germany}

Postal Code

The Postal Code attribute specifies the postal code for a named object. It is part of the object´s postal address.

Abbreviation

PC

LDAP Name(s)

postalCode

Syntax (DAP)

Directory-String {40}

Example (DAP)
PC=D-81730
Example (LDAP)
postalCode=D-81730

Post Office Box

The Post Office Box attribute specifies the post office box at which the object will receive physical post delivery. It is part of the object´s postal address.

Abbreviation

POB

LDAP Name(s)

postOfficeBox

Syntax (DAP)

Directory-String {40}

Example (DAP)
POB=1281730
Example (LDAP)
postOfficeBox=1281730

Telecommunication Addresses

Destination Indicator

The Destination Indicator attribute specifies according to CCITT Rec. F.1 and Rec. F.31 the country and city associated with the object needed to provide the public telegram service.

Abbreviation

DI

LDAP Name(s)

destinationIndicator

Syntax (DAP)

Destination-Indicator

Syntax (LDAP)

Printable String {128} (LDAP style) only alphabetical characters

Example (DAP)
{DI=F Paris}
Example (LDAP)
{destinationIndicator=F Paris}

Fax Telephone Number

The Fax Telephone Number attribute specifies a telephone number for a facsimile (FAX) terminal. (See Facsimile-Telephone-Number for details).

Abbreviation

FTN

LDAP Name(s)

facsimileTelephoneNumber, ftn

Syntax (DAP)

Facsimile-Telephone-Number

Syntax (LDAP)

Facsimile-Telephone-Number (LDAP-style)

Example (DAP)
FTN={PN=3456}
Example (LDAP)
facsimileTelephoneNumber=3456

International ISDN Number

The International ISDN Number attribute specifies an International ISDN number associated with an object. The attribute value is a numeric string that complies with the internationally agreed format for ISDN addresses given in CCITT Rec. E. 164. (See International-ISDN-Number for details.)

Abbreviation

IIN

LDAP Name(s)

internationalISDNNumber

Syntax (DAP)

International-ISDN-Number (see CCITT Rec. E.164 for valid values)

Syntax (LDAP)

Numeric-String {16}

Example (DAP)
IIN=27456
Example (LDAP)
internationalISDNNumber=27456

Registered Address

The Registered Address attribute specifies a mnemonic for an address associated with an object at a particular city location. It is registered in the country in which the city is located and is used by the public telegram service. (See Postal-Address syntax for details.)

Abbreviation

RA

LDAP Name(s)

registeredAddress

Syntax (DAP)

Postal-Address

Syntax (LDAP)

Postal-Address (LDAP style)

Example (DAP)
{RA={PA1=Frank Mayer,PA2=Otto-Hahn-Ring 6,PA3=D-81730 Munich}}
Example (LDAP)
{postalAddress=Frank Mayer$Otto-Hahn-Ring 6$D-81730 Munich$Germany}

Telephone Number

The Telephone Number attribute specifies a telephone number associated with an object.

Abbreviation

TN

LDAP Name(s)

telephoneNumber, tn

Syntax (DAP)

Printable-String (Size(1..32))

Syntax (LDAP)

Printable-String (Size(1..32)) (LDAP style)

Example (DAP)
{TN=+49 89 6745678;+48 89 636 567890}
Example (LDAP)
{telephoneNumber=+49 89 6745678;+48 89 636 567890}

Teletex Terminal Identifier

The Teletex Terminal Identifier attribute specifies a teletex terminal identifier for a teletex terminal associated with an object. (See Teletex-Terminal-Identifier syntax for details.)

Abbreviation

TTI

LDAP Name(s)

teletexTerminalIdentifier

Syntax (DAP)

Teletex-Terminal-Identifier

Syntax (LDAP)

Teletex-Terminal-Identifier (LDAP style)

Example (DAP)
{TTI={TT= My-Company AG Teletex center}}
Example (LDAP)
{teletexTerminalIdentifier=My-Company AG Teletex center$page:letter}

Telex Number

The Telex Number attribute specifies a telex number, country code, and answerback code for a telex terminal associated with an object. (See Telex-Number syntax for details.)

Abbreviation

TXN

LDAP Name(s)

telexNumber

Syntax (DAP)

Telex-Number

Syntax (LDAP)

Telex-Number (LDAP style)

Example (DAP)
{TXN={TN=24344,
     CC=046,
     AB=GAMEX B }}
Example (LDAP)
{telexNumber=24344$046$GAMEX B}

X.121 Address

The X.121 Address attribute specifies an address as defined by CCITT Rec. X.121 associated with an object. (See X121-Address Syntax for details.)

Abbreviation

X1A

LDAP Name(s)

x121Address

Syntax (DAP)

X121-Address

Syntax (LDAP)

Numeric-String {15}

Example (DAP)
X1A=1234
Example (LDAP)
x121Address=1234

Preference Attributes

Preferred Delivery Method

The Preferred Delivery Method attribute specifies the order of preference for message delivery methods. The attribute is single-valued. (See Preferred Delivery Method Syntax for details.)

Valid values are:

DAP bind LDAPv3 bind Meaning

ANY

any

Any method of delivery

MHS

mhs

Message handling system delivery

PHYSICAL

physical

Physical delivery

TELEX

telex

Telex delivery

TELETEX

teletex

Teletex delivery

G3_FAX

g3fax

G3 FAX delivery

G4_FAX

g4fax

G4 FAX delivery

IA5

ia5

IA5 terminal delivery

VIDEOTEX

videotex

Videotex delivery

TELEPHONE

telephone

Telephone delivery

For DAP binds, multiple values are separated by a plus sign (+), with the most preferred method first in the list; for LDAP binds, multiple values are separated by a dollar sign ($), with the most preferred method first in the list.

Abbreviation

PDM

LDAP Name(s)

preferredDeliveryMethod

Syntax (DAP)

Preferred-Delivery-Method

Syntax (LDAP)

Preferred-Delivery-Method (LDAP style)

Example (DAP)
PDM=PHYSICAL+ANY
Example (LDAP)
preferredDeliveryMethod=physical$any

OSI Applications

Application Entity

The Application Entity attribute specifies the object identifier that is assigned to an application entity and allows it to be identified.

Abbreviation

AE

LDAP Name(s)

applicationEntity

Syntax (DAP)

Object Identifier

Syntax (LDAP)

Object Identifier (LDAP style) in dotted notation.

Example (DAP)
AE=1.3.12.2.1107.0
Example (LDAP)
applicationEntity=1.3.12.2.1107.0

Presentation Address

The Presentation Address attribute specifies a presentation address associated with an object representing an OSI application entity. (See Presentation-Address syntax for details.)

This attribute is not supported for LDAP protocol.

Abbreviation

PSA

Syntax (DAP)

Presentation-Address

Example (DAP)
PSA={TS=server,NA='TCP/IP!internet=123.45.67.89+port=31111'}

Protocol Information

The Protocol Information attribute associates protocol information with each network address in the PSAP attribute. For each NSAP, address it identifies the protocol or profile for the network and transport layers. (See Protocol Information syntax for details.)

This attribute is not supported for LDAP protocol.

Abbreviation

PI

Syntax (DAP)

Protocol-Information

Example (DAP)
PI={NA='TCP/IP!internet=123.45.67.89+port=102',
     OID=1.3.14.65.237;1.3.14.65.239}

Supported Application Context

The Supported Application Context attribute specifies the object identifiers of supported application contexts. The attribute is contained in the root-DSE and is automatically generated when the database is created. It can be accessed using dirxadm.

Valid values are:

  • DAP - Directory-Access-Application-Context (DUA or DSA funtionality using DAP protocol)

  • DOPM - Directory-OPerational-Binding-Management-Application-Context (DSA functionality using DOP protocol to coordinate HOBs (hierarchical operational bindings) or shadowing)

  • DSP - Directory-System-Application-Context (DSA functionality using DSP protocol (chaining))

  • RSCI - Reliable-Shadow-Consumer-Initiated-Application-Context (DSA functionality using DISP protocol (shadowing) over the RTSE protocol when the consumer initiates the shadowing)

  • RSSI - Reliable-Shadow-Supplier-Initiated-Application-Context context (DSA functionality using DISP protocol (shadowing) over the RTSE protocol when the supplier initiates the shadowing)

  • SCI - Shadow-Consumer-Initiated-Application-Context (DSA functionality using DISP protocol when the consumer initiates the shadowing, and operations are synchronous; that is, no invoke can be initiated until a response to the last invoke has been received)

  • SSI - Shadow-Supplier-Initiated-Application-Context (DSA functionality using DISP when the supplier initiates the shadowing, and operations are synchronous)

  • SSIA - Shadow-Supplier-Initiated-Asynchronous-Application-Context (DSA functionality using DISP when the supplier initiates the shadowing, and operations can be asynchronous)

  • SCIA - Shadow-Consumer-Initiated- Asynchronous-Application-Context (DSA functionality using DISP when the consumer initiates the shadowing, and operations can be synchronous; that is, another invoke can be initiated before a response to the last invoke has been received)

The DirX Directory DSA supports the application contexts DAP, DSP, SCI, and SSI.

Because this attribute is only accessible by using dirxadm no access using LDAP or DAP protocol is possible.

Abbreviation

SAC

Syntax

Object Identifier

Example (dirxadm)
SAC=DAP;DSP;SCI;SSI

Transfer Syntaxes Supported

The Transfer Syntaxes Supported attribute specifies the object identifiers of the transfer syntaxes and / or encoding rules supported. The attribute is contained in the root-DSE. It can be accessed using dirxadm.

The implementation supports the ASN.1 Basic and Distinguished Encoding Rules.

Because this attribute is only accessible by using dirxadm, no access using LDAP or DAP protocol is possible.

Abbreviation

TSS

Syntax

Object Identifier

Example (dirxadm)
TSS=2.1.1;2.1.2.1 ASN.1 Basic and Distinguished Encoding Rules

Upper Layer Profile Info

The Upper Layer Profile Info attribute specifies the object identifiers of the upper layer profile that are implemented in an application entity.

The implementation supports the EWOS profiles FOI11 and FOI5.

Abbreviation

ULPI

LDAP Name(s)

upperLayerProfileInfo

Syntax (DAP)

Object Identifier

Syntax (LDAP)

Object Identifier (LDAP style) in dotted notation.

Example (DAP)
ULPI=1.0.10616;1.0.12072 EWOS profiles FOI11 and FOI5
Example (LDAP)
upperLayerProfileInfo=1.0.10616;1.0.12072

Relational Attributes

Relational attributes are concerned with information regarding objects that are related to a particular object in certain ways.

Aliased Object Name

The Aliased Object Name attribute specifies an alternative name for an object or object entry. It is contained in an alias entry.

Abbreviation

AON

LDAP Name(s)

aliasedObjectName, aliasedEntryName

Syntax (DAP)

Distinguished Name

Syntax (LDAP)

Distinguished Name (LDAP style)

Example (DAP)
AON={/O=My-Company/OU=Sales/CN=Hohner}
Example (LDAP)
aliasedObjectName=cn=Hohner,ou=Sales,o=My-Company

DirX Directory ImportFrom

The DirX Directory ImportFrom attribute specifies the DN of a groupOfNames entry from which member attributes are to be imported. It is used to build a nested group.

Abbreviation

IMPFROM

LDAP Name(s)

dirxImportFrom

Syntax (DAP)

Distinguished Name

Syntax (LDAP)

Distinguished Name (LDAP style)

Example (DAP)
IMPFROM={/O=My-Company/CN=UserGroups}
Example (LDAP)
dirxImportFrom= cn=UserGroups,o=My-Company

DirX Directory MemberUrl

The DirX Directory MemberUrl attribute specifies an LDAP search expression. It is used to define a dynamic group.

Abbreviation

DRXMURL

LDAP Name(s)

dirxMemberUrl

Syntax (DAP)

Directory-String in the format of DirX Directory-Member-Url attribute syntax (see the section DirX Directory-Member-Url in the chapter DirX Directory String Representation for DAP Binds for details)

Syntax (LDAP)

Directory-String in the format of DirX Directory-Member-Url attribute syntax (see the section DirX Directory-Member-Url in the chapter DirX Directory String Representation for DAP Binds for details)

Example (DAP)
DRXMURL=ldap:///o=My-Company??sub?(&(l=sunnyvale)(title=senior*))
Example (LDAP)
dirxMemberUrl=ldap:///o=My-Company??sub?(&(l=sunnyvale)(title=senior*))

DN

The Distinguished Name attribute specifies the name of an object.

Abbreviation

DN

LDAP Name(s)

distinguishedName

Syntax (DAP)

Distinguished-Name

Syntax (LDAP)

Distinguished-Name (LDAP style)

Example (DAP)
DN={/O=My-Company/OU=Sales/CN=Miller}
Example (LDAP)
distinguishedName=cn=Miller,ou=Sales,o=My-Company

Member

The Member attribute specifies a group of names associated with an object.

Abbreviation

MEM

LDAP Name(s)

member

Syntax (DAP)

Distinguished-Name

Syntax (LDAP)

Distinguished-Name (LDAP style)

Example (DAP)
{MEM=/O=My-Company/OU=Sales/CN=distribution list}
Example (LDAP)
{member=cn=distribution list,ou=Sales,o=My-Company}

Owner

The Owner attribute specifies the name of the object that is responsible for an associated object.

Abbreviation

OWN

LDAP Name(s)

owner

Syntax (DAP)

Distinguished-Name

Syntax (LDAP)

Distinguished-Name (LDAP style)

Example (DAP)
OWN={/O=My-Company/OU=Sales/CN=Mayer}
Example (LDAP)
owner=cn=Mayer,ou=Sales,o=My-Company

Role Occupant

The Role Occupant attribute specifies the name of an object that fulfills an organizational role.

Abbreviation

RO

LDAP Name(s)

roleOccupant

Syntax (DAP)

Distinguished-Name

Syntax (LDAP)

Distinguished-Name (LDAP style)

Example (DAP)
RO={/O=My-Company/OU=Sales/CN=Mayer}
Example (LDAP)
roleOccupant=cn=Mayer,ou=Sales,o=My-Company

See Also

The See Also attribute specifies the names of directory objects that can be other aspects of the same real world object.

Abbreviation

SEA

LDAP Name(s)

seeAlso

Syntax (DAP)

Distinguished-Name

Syntax (LDAP)

Distinguished-Name (LDAP style)

Example (DAP)
SEA={/O=My-Company/OU=Sales/CN=Mayer}
Example (LDAP)
seeAlso=cn=Mayer,ou=Sales,o=My-Company

Unique Member

The Unique Member attribute identifies objects by a distinguished name and an optional identifier. This attribute can remove ambiguity from names that have been reused. (See Name-And-Optional-UID syntax for details.)

Abbreviation

UM

LDAP Name(s)

uniqueMember

Syntax (DAP)

Name-And-Optional-UID

Syntax (LDAP)

Name-And-Optional-UID (LDAP style)

Example (DAP)
UM={DN={/O=my-company/OU=engineering/CN=Hughes H},
    UID=0010100101001011110};
   {DN={/O=my-company/OU=engineering/CN=Smith J}
   }
Example (LDAP)
uniqueMember=cn=Hughes H,ou=engineering,o=my-company
             #'0010100101001011110'B;
             cn=Smith J,ou=engineering,o=my-company

Miscellaneous Attributes

House Identifier

The House Identifier attribute specifies information that is used to identify a particular building; for example, a house number or house name relative to a street or town.

Abbreviation

HID

LDAP Name(s)

houseIdentifier

Syntax (DAP)

Directory-String {32768}

Example (DAP)
HID=32
Example (LDAP)
houseIdentifier=32

Knowledge Information

The Knowledge Information attribute specifies a human readable accumulated description of knowledge mastered by a specific DSA.

Abbreviation

KNI

LDAP Name(s)

knowledgeInformation

Syntax (DAP)

Directory-String {32768}

Example (DAP)
{KNI=The entry is also shadowed by the My-Company-DSA}
Example (LDAP)
{knowledgeInformation=The entry is also shadowed by the My-Company-DSA}

Labeled URI

The Labeled URI attribute as specified in RFC 2079 defines one of several Universal Resource Identifiers. The values must comply with RFC1738.

Abbreviation

LURI

LDAP Name(s)

labeledURI

Syntax (DAP)

Directory-String

Example (DAP)
LURI=http:\/\/www.sni.de
Example (LDAP)
labeledURI=http:\/\/www.sni.de

Object Class

The ObjectClass attribute specifies the object identifiers of the object classes which indicates the nature of a particular entry. Each entry must contain this attribute.

There are three types of object classes:

  • Abstract object classes - Used to derive other object classes and provide the common characteristics of such object classes. An entry cannot belong only to abstract object classes. The only abstract object class in DirX Directory is TOP.

  • Structural object classes - Defines specific types of real-world objects, for example, object class organizational person (ORP). An entry is characterized by one structural object class superclass chain which has a single structural object class as the most subordinate object class. The structural object class of an entry cannot be changed.

  • Auxiliary object classes - Defines characteristics that can be shared by more than one kind of real-world object. For example, message handling systems make use of the auxiliary object class MHS user (MUS) to specify a package of mandatory and optional MHS attributes for entries whose structural object class is variable (for example, ORP for organizational person or REP for residential person). An object may be member of one or more auxiliary object classes. The auxiliary object class of an entry may change over time.

Since all entries are member of the object class TOP, this value need not be specified.

The Object Class Table in the chapter titled DirX Directory Default Schema describes the LDAP name(s) (which is used as value for LDAP binds), the abbreviation (which is used as value for DAP binds), the type, the superclasses, and the mandatory and optional attributes.

Abbreviation

OCL

LDAP Name(s)

objectClass, ocl

Syntax (DAP)

Object Identifier

Syntax (LDAP)

Object Identifier (LDAP style) in dotted notation.

Example (DAP)
{OCL=PER;ORP}
Example (LDAP)
{objectClass=person;organizationalPerson}

RFC822 Mailbox

The RFC822 Mailbox attribute specifies a SMTP mail address (internet mail address).

Abbreviation

RMB

LDAP Name(s)

rfc822Mailbox, mail

Syntax (DAP)

IA5-String

Example (DAP)
RMB=John.Smithsales.my-company.de
Example (LDAP)
mail=John.Smith@sales.my-company.de

Title

The Title attribute specifies the position or function of the object within an organization.

Abbreviation

TIT

LDAP Name(s)

title

Syntax (DAP)

Directory-String {64}

Example (DAP)
TIT=Manager
Example (LDAP)
title=Manager

Collective Attributes

Collective attributes are user attributes whose values are the same for a collection of entries.

Although collective attributes appear to users of the Directory query operations as entry attributes, they are treated differently from entry attributes. This difference is that collective attributes cannot be administered (that is, modified) via the entries in which they appear but must be administered via their associated subentries. (See the chapter titled Creating Collective Attributes in a Subtree in the Administration Guide for details.)

The DSA does not support the use of collective attributes in filters.

Collective attributes can be excluded from particular entries by the use of the Collective Exclusions directory operational attribute.

Collective Fax Telephone Number

The Collective Fax Telephone Number attribute specifies a fax telephone number for a collection of entries

Abbreviation

FTNC

LDAP Name(s)

collectiveFacsimileTelephoneNumber, ftnc

Syntax (DAP)

Facsimile-Telephone-Number

Syntax (LDAP)

Facsimile-Telephone-Number (LDAP style)

Example (DAP)
FTNC={PN=563212}
Example (LDAP)
collectiveFacsimileTelephoneNumber=563212

Collective International ISDN Number

The Collective International ISDN Number attribute specifies a international lSDN number for a collection of entries

Abbreviation

IINC

LDAP Name(s)

collectiveInternationalISDNNumber

Syntax (DAP)

International-ISDN-Number (see CCITT Rec. E.164 for valid values)

Syntax (LDAP)

Numeric-String {16}

Example (DAP)
IINC=1234
Example (LDAP)
collectiveInternationalISDNNumber=1234

Collective Locality Name

The Collective Locality Name attribute specifies a locality name for a collection of entries

Abbreviation

LC

LDAP Name(s)

collectiveLocalityName

Syntax (DAP)

Directory-String {128}

Example (DAP)
LC=Munich
Example (LDAP)
collectiveLocalityName=Munich

Collective Organization Name

The Collective Organization Name attribute specifies an organization name for a collection of entries.

Abbreviation

ONC

LDAP Name(s)

collectiveOrganizationName

Syntax (DAP)

Directory-String {64}

Example (DAP)
{ONC=German Telecom}
ONC=My-Company
Example (LDAP)
{collectiveOrganizationName=German Telecom}
collectiveOrganizationName=My-Company

Collective Organizational Unit Name

The Collective Organizational Unit Name attribute specifies an organizational unit for a collection of entries.

Abbreviation

OUC

LDAP Name(s)

collectiveOrganizationalUnitName

Syntax (DAP)

Directory-String {64}

Example (DAP)
{OUC=Marketing Division}
Example (LDAP)
{collectiveOrganizationalUnitName=Marketing Division}

Collective Postal Address

The Collective Postal Address attribute specifies a postal address for a collection of entries.

Abbreviation

PAC

LDAP Name(s)

collectivePostalAddress

Syntax (DAP)

Postal-Address

Syntax (LDAP)

Postal-Address (LDAP style)

Example (DAP)
{PAC={PA1=My-Company, PA2=Otto-Hahn-Ring 6, PA3=D-81234 Munich}}
Example (LDAP)
{postalAddress=My-Company$Otto-Hahn-Ring 6$D-81730 Munich$Germany}

Collective Postal Code

The Collective Postal Code attribute specifies a postal code for a collection of entries.

Abbreviation

PCC

LDAP Name(s)

collectivePostalCode

Syntax (DAP)

Directory-String {40}

Example (DAP)
PCC=D-81234
Example (LDAP)
collectivePostalCode=D-81234

Collective Physical Delivery Office Name

The Collective Physical Delivery Office Name attribute specifies a physical delivery office name for a collection of entries.

Abbreviation

PDOC

LDAP Name(s)

collectivePhysicalDeliveryOfficeName

Syntax (DAP)

Directory-String {128}

Example (DAP)
PDOC=Munich
Example (LDAP)
collectivePhysicalDeliveryOfficeName=Munich

Collective Post Office Box

The Collective Post Office Box attribute specifies a post office box name for a collection of entries.

Abbreviation

POBC

LDAP Name(s)

collectivePostOfficeBox

Syntax (DAP)

Directory-String {40}

Example (DAP)
{POBC=Post Office Box 56789}
Example (LDAP)
{collectivePostOfficeBox=Post Office Box 56789}

Collective State or Province Name

The Collective State or Province Name attribute specifies a state or province for a collection of entries.

Abbreviation

SPNC

LDAP Name(s)

collectiveStateOrProvinceName

Syntax (DAP)

Directory-String {128}

Example (DAP)
SPNC=Florida
Example (LDAP)
collectiveStateOrProvinceName=Florida

Collective Street Address

The Collective Street Address attribute specifies street address for a collection of entries.

Abbreviation

STAC

LDAP Name(s)

collectiveStreetAddress

Syntax (DAP)

Directory-String {128}

Example (DAP)
{STAC=Otto-Hahn-Ring 6}
Example (LDAP)
{collectiveStreetAddress=Otto-Hahn-Ring 6}

Collective Telephone Number

The Collective Telephone Number attribute specifies a telephone number for a collection of entries.

Abbreviation

TNC

LDAP Name(s)

collectiveTelephoneNumber, tnc

Syntax (DAP)

Printable-String (SIZE(1..32))

Syntax (LDAP)

Printable-String (SIZE(1..32)) (LDAP style)

Example (DAP)
{TNC=+49 89 374526}
Example (LDAP)
{collectiveTelephoneNumber=+49 89 374526}

Collective TTX Terminal Identifier

The Collective TTX Terminal Identifier attribute specifies a ttx terminal identifier for a collection of entries.

Abbreviation

TTIC

LDAP Name(s)

collectiveTeletexTerminalIdentifier

Syntax (DAP)

Teletex-Terminal-Identifier

Syntax (LDAP)

Teletex-Terminal-Identifier (LDAP style)

Example (DAP)
{TTIC={TT=My-Company AG Teletex Center}}
Example (LDAP)
{collectiveTeletexTerminalIdentifier=My-Company AG Teletex Center}

Collective Telex Number

The Collective Telex Number attribute specifies a telex number for a collection of entries.

Abbreviation

TXNC

LDAP Name(s)

collectiveTelexNumber

Syntax (DAP)

Telex-Number

Syntax (LDAP)

Telex-Number (LDAP style)

Example (DAP)
{TXNC={TN=375679,CC=049,AB=GAMEX B}}
Example (LDAP)
collectiveTelexNumber=375679$049$GAMEX B

Attributes of the LDAP Root Subentry

The LDAP protocol defines the so-called LDAP root as a collection of attributes that describe the LDAP server’s capabilities and supported features. LDAP clients usually read these attributes before they start working with the LDAP server in order to retrieve information about useful features the server provides.

In DirX Directory, the LDAP root subentry /CN=ldapRoot is used to store these attributes. The DSA automatically creates an LDAP root subentry that specifies the default values for the DirX Directory LDAP server. The information within the LDAP root subentry should not be changed once it has been established and the LDAP server has been initialized.

Note that the LDAP root subentry contains local information and modifications to this entry are not propagated by shadowing.

The LDAP root subentry can be retrieved via LDAP by performing the following search request:

obj search "" –allattr –baseobject -vtype SUBENTRY

Like all other subentries it cannot be created via LDAP. However, it can be modified via LDAP.

LDAP Naming Contexts

The LDAP Naming Contexts attribute contains the distinguished names of the naming contexts that the contact DSA masters or shadows. This attribute is a mandatory attribute and must contain at a minimum a string with length 0. The DSA automacially synchronizes the LDAP naming context stored in this attribute with the X.500 context prefix. Therefore it is strongly recommended not to modify this attribute.

Abbreviation

LNCO

LDAP Name(s)

namingContexts

Syntax (DAP)

Distinguished Name

Syntax (LDAP)

Distinguished Name (LDAP style)

Example (DAP)
LNCO={/C=de/O=my-company/OU=mds}
Example (LDAP)
namingContexts=o=my-company

Alternate Servers

The Alternate Servers attribute specifies the URLs of other LDAP servers that can handle the client’s request. This attribute is an optional attribute.

Abbreviation

ASER

LDAP Name(s)

altServer

Syntax (DAP)

Directory-String {32768}

Example (DAP)
ASER=ldap:\/\/ldapserver.sni.com
Example (LDAP)
altServer=ldap:\/\/ldapserver.sni.com

Supported Extensions

The Supported Extensions attribute specifies the object identifiers of the extensions that the LDAP server supports. This attribute is an optional attribute.

The DirX Directory LDAP server supports the following standardized extensions:

1.3.6.1.4.1.1466.20037 The Start-TLS extended operation.

1.3.6.1.4.1.4203.1.11.1

The LDAP Password Modify Extended Operation. The DirX Directory LDAP server supports this extension with the following restrictions:

  • The operation changes the userPassword attribute (OID 2.5.4.35) of an entry stored in the directory

  • The userIdentity field of the PasswdModifyRequestValue must contain a DistinguishedName

  • The LDAP connection must be established using SSL/TLS protection (LDAPS or sasl EXTERNAL)
Abbreviation

SEXT

LDAP Name(s)

supportedExtension

Syntax (DAP)

Object Identifier

Syntax (LDAP)

Object Identifier (LDAP style) in dotted notation.

Example (DAP)
SEXT=1.3.6.1.4.1.1466.20037		LDAP server supports the Start-TLS
   								extended operation
Example (LDAP)
supportedExtension=1.3.6.1.4.1.1466.20037

Supported Control

The Supported Control attribute specifies the object identifiers of the controls that the LDAP server supports. This attribute is an optional attribute.

LDAP clients use the values of this attribute to evaluate whether they can successfully include the control values to their operations. The controls themselves are intended to optimize operations; for example, search operations with a large search result.

See DirX Directory Commands -> dirxcp -> obj (dirxcp) -> -control Option in the DirX Directory Administration Reference for details on how to specify controls for dirxcp obj operations.

The default value of the DirX Directory LDAP server is:

1.2.840.113556.1.4.319 Simple Paged Results for request and response. The abbreviation for this control is SPAGRES.

1.2.840.113556.1.4.473

Server Side Sorting Request.

The abbreviation for this control is SSSREQ.

1.2.840.113556.1.4.474

Server Side Sorting Response.

The abbreviation for this control is SSSRESP.

1.3.6.1.4.1.21008.108.63.1

LDAP Session Tracking Control

The abbreviation for this control is LSTRACK.

1.3.6.1.1.22

Don’t Use Copy Control. This control is intended to direct the server to return master information in LDAP search and LDAP compare operations. It should not be attached to other operations. It overrides the settings for the respective operations service controls (ldapSearchServiceControls and ldapCopmpareServiceControls) configured in the configuration subentry of the LDAP server.

The abbreviation for this control is DONTUSECOPY.

1.3.6.1.4.1.7628.5.101.1

LDAP Subentries Control. The server returns only subentries in a search response. In DirX Directory for example, the dirxcp obj search command attaches the Subentry Control to the search request if the option -vtype SUBENTRY is specified.

The abbreviation for this control is LSUBE.

1.3.6.1.4.1.42.2.27.8.5.1

Password Policy Request and Password Policy Response according to the IETF draft RFC "Password Policy for LDAP Directories"
(document: draft-behera-ldap-password-policy-07.txt).

The abbreviation for this control is PPOREQRESP.

2.16.840.1.113730.3.4.18

LDAP Proxied Authorization Control according to the
IETF RFC 4370.

The abbreviation for this control is LPROXYAUTH.

1.3.12.2.1107.1.3.2.12.5

LDAP Relaxed Update Control. This is a proprietary control. It supports attaching a control to modify entry operations over LDAP that results in:

  • Returning SUCCESS instead of a “no such attribute or value” error if the client request attempts to delete a non-existing attribute value.

  • Returning SUCCESS instead of an “attribute or attribute value already exists” error if the client request attempts to add an already existing attribute value.

The abbreviation for this control is RELAXEDUPD.

1.3.12.2.1107.1.3.2.12.6

LDAP Max Paging Timeout Control. This is a proprietary control. It directs the LDAP server to use a 3600 second (1 hour) timeout in paged search requests instead of the configured value in the PAGP (Paging-Policy) attribute.

The abbreviation for this control is MAXPAGTO.

1.3.12.2.1107.1.3.2.12.7

LDAP Use MT, MN, CRT, CRN from DAP Request Control. This is a proprietary control. The server uses the modifyTimestamp (MT), the modifiersName (MN), the createTime (CRT), and the creatorsName (CRN) from the DAP request.

The abbreviation for this control is USEREQOPATTR.

1.3.12.2.1107.1.3.2.12.9

LDAP No Modification Time Update Control. This is a proprietary control. The server does not update the modifyTimestamp (MT).

The abbreviation for this control is NOMODTIMEUPD.

1.3.12.2.1107.1.3.2.12.10

LDAP Conditioned Operation Control. This is a proprietary control. A modify or delete operation is performed only if the condition specified in the control’s value applies. The control’s value must be specified.

The abbreviation for this control is CONDOP.

1.3.12.2.1107.1.3.2.12.11

LDAP Search Result Info Control. This is a proprietary control. A search operation returns information about the search result like the number of result entries instead of the result.

The abbreviation for this control is SEARCHRESINFO.

1.3.12.2.1107.1.3.2.12.12

LDAP Incremental Replace Control. This is a proprietary control. The server increments (decrements negative values) attributes with syntax integer when performing a replace in a modify entry operation. The attribute must not be multi-valued. The control has no value. The default for criticality is 1 and cannot be changed. If none of the updates is a replace or none of the replaced attributes has the syntax integer, the control is ignored.

For example,
dirxcp> modify cn=Mueller,ou=Sales,o=My-Company
-control INCRREPL -replaceattr -intAttr=*number increments the value of the attribute *intAttr of the entry cn=Mueller,ou=Sales,o=My-Company by number.

The abbreviation for this control is INCRREPL.

1.3.12.2.1107.1.3.2.12.13

LDAP Matched Value Only Filter Control. This is a proprietary control. A search operation returns only those requested attribute values that match to the filter in the control’s value. (See DirX Directory String Representation for LDAP Binds -> Search Filters -> LDAP Matched Value Only Filter Control for details.) For example, it can be used to retrieve one particular certificate.

The abbreviation for this control is MVOF.

The DirX Directory DSA supports the controls for search request and responses when the suitable indices are created in the DSA’s database.

If an LDAP search operation requests server-side sorting, the search operation must be performed with "dereference aliases always" or the DSA returns an "Unwilling to Perform" error. This behavior is independent from whether or not the database actually contains alias entries.

Be aware that using some of the listed LDAP controls may break the server behavior described in the LDAP/X.500 standards.

Abbreviation

SCON

LDAP Name(s)

supportedControl

Syntax (DAP)

Object Identifier

Syntax (LDAP)

Object Identifier (LDAP style) in dotted notation.

Example (DAP)
{SCON=2.16.840.1.113730.3.4.9;1.2.840.113556.1.4.473;1.2.840.113556.1.4.474;1.2.840.113556.1.4.319;2.16.840.1.113730.3.4.10}
Example (LDAP)
{supportedControl=2.16.840.1.113730.3.4.9;1.2.840.113556.1.4.473;1.2.840.113556.1.4.474;1.2.840.113556.1.4.319;2.16.840.1.113730.3.4.10}

Supported SASL Mechanism

The Supported SASL Mechanism attribute specifies the names of the SASL authentication mechanisms that the LDAP server supports. This attribute is an optional attribute. (See RFC 2222 for details on SASL.)

The LDAP server supports the EXTERNAL SASL (attribute value EXTERNAL) mechanism. This mechanism type means that the LDAP server supports certificate-based client authentication based on SSL/TLS.

Abbreviation

SSME

LDAP Name(s)

supportedSASLMechanisms

Syntax (DAP)

Directory-String {32768}

Example (DAP)
SSME=EXTERNAL
Example (LDAP)
supportedSASLMechanisms=EXTERNAL

Supported LDAP Versions

The Supported LDAP Versions attribute specifies the LDAP protocol versions that the LDAP server supports. This attribute is a mandatory attribute. Valid values are 2, and 3.

Abbreviation

SLVE

LDAP Name(s)

SupportedLDAPVersion

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP style)

Example (DAP)
SLVE=2;3 	LDAP server supports LDAP protocol versions 2 and 3
Example (LDAP)
SupportedLDAPVersion=2;3

Og Supported Profile

The Og Supported Profile attribute specifies the object identifiers of the profiles that the LDAP server supports. This attribute is a mandatory attribute.

Abbreviation

OSPR

LDAP Name(s)

ogSupportedProfile

Syntax (DAP)

Object Identifier

Syntax (LDAP)

Object Identifier (LDAP style) in dotted notation.

Example (DAP)
OSPR=1.2.826.0.1050.11.1.1; 1.2.826.0.1050.11.2.1
LDAP server supports the Open Group Profiles Read-Only LDAP server and Read-Write LDAP server
Example (LDAP)
ogSupportedProfile=1.2.826.0.1050.11.1.1; 1.2.826.0.1050.11.2.1

Vendor Name

The Vendor Name attribute specifies the name of the LDAP server implementer. This attribute is a single-valued, optional attribute.

Abbreviation

RFCVN

LDAP Name(s)

vendorName

Syntax (DAP)

Directory-String

Syntax (LDAP)

Directory-String (LDAP style)

Example (DAP)
RFCVN=Eviden
Example (LDAP)
vendorName=Eviden

Vendor Version

The Vendor Version attribute specifies the version of the LDAP server. This attribute is a single-valued, optional attribute.

Abbreviation

RFCVV

LDAP Name(s)

vendorVersion

Syntax (DAP)

Directory-String

Syntax (LDAP)

Directory-String (LDAP style)

Example (DAP)
RFCVV=DirX Directory V8.2 A 8.6.146 2011:05:24 20:10 32-Bit
Example (LDAP)
vendorVersion=DirX Directory V8.2 A 8.6.146 2011:05:24 20:10 32-Bit

LDAP Subschema Subentry

The LDAP Subschema Subentry attribute specifies the distinguished names of the LDAP subschema subentries. This attribute is a mandatory attribute.

Abbreviation

LSSU

LDAP Name(s)

subSchemaSubentry

Syntax (DAP)

Distinguished Name

Syntax (LDAP)

Distinguished Name (LDAP Style)

Example (DAP)
LSSU={/CN=Schema}
Example (LDAP)
subSchemaSubentry=cn=Schema

Attributes of the Schema Subentry

The schema information (attribute types and object classes) is saved in the attributes of the schema subentry. The schema subentry is created automatically by the DirX Directory DSA. LDAP clients usually read this subentry to get LDAP server’s schema information. The distinguished name (DN) of the schema subentry is saved in the LDAP Subschema Subentry attribute of the LDAP root subentry and must consist of only one relative distinguished name (RDN). By default the name of the schema subentry is cn=Schema.

It is not recommended to modify the default name of the schema. However there may be reasons that you must rename the schema. In this case, you modify the LDAP Subschema Subentry attribute value of the LDAP root subentry. After modifying this value, you must re-start the DirX Directory Service so that the modification becomes effective. The DSA will rename the schema subentry automatically.

Note that the LDAP root subentry contains local information and modifications to this entry are not propagated by shadowing. You must perform the modification to the LDAP Subschema Subentry attribute value on all servers participating in your network. Schema modifications, however, are propagated by shadowing.

The schema must be legal and consistent for all servers to work correctly. All attribute types and all object classes of the schema must have an LDAP name. The LDAP server does not start if it detects an attribute type or object class in the schema without an LDAP name assigned. If an LDAP client uses attributes not present in the schema, they will be ignored in the request. (See section titled Schema Check in chapter titled DirX Directory Default DSA Schema in the DirX Directory Administration Reference how to perform a schema check.)

Schema modifications become effective immediately in the DSA and in the LDAP server where the schema has been changed. Additional LDAP servers must be restarted. If the schema is changed not via the LDAP server - for example, new attributes have been added by dirxcp after a DAP bind - all LDAP servers must be restarted. (See the dirxadm ldap restart operation in the chapter DirX Directory Commands in the DirX Directory Administration Reference for details.)

The LDAP schema subentry can be retrieved by dirxcp via LDAP by performing the following request:

obj show cn=Schema –allattr

Like all other subentries, it cannot be created via LDAP. However, it can be modified via LDAP by

  • performing dirxcp obj operations after performing an LDAP bind

  • importing an LDIF content file containing schema information

  • DirX Directory Manager.

LDAP AT

The LDAP AT attribute is a multi-valued attribute specifying the attribute types used within the schema. The component NAME '*attribute_type_name'* provides the LDAP names of the attribute type. (See the section titled Attribute-Type-Description in the chapter DirX Directory String Representation for LDAP Binds for details.)

Abbreviation

AT

LDAP Name(s)

attributeTypes, at

Syntax (LDAP)

Attribute-Type-Description (LDAP style)

Example (LDAP)
attributeTypes=
....
( 2.5.4.20 NAME 'MYtelephoneNumber' EQUALITY telephoneNumberMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 {32} )
....

LDAP OC

The LDAP OC attribute is a multi-valued attribute specifying the object classes used within the schema. The component NAME '*object_class_name'* provides the LDAP name of the object class. You can specify only one LDAP name for an object class. (See the section titled Object-Class-Description in the chapter DirX Directory String Representation for LDAP Binds for details.)

Abbreviation

OC

LDAP Name(s)

objectClasses, oc

Syntax (LDAP)

Object-Class-Description (LDAP style)

Example (LDAP)
objectClasses=
....
( 2.5.6.16 NAME 'MYcertificationAuthority' SUP top AUXILIARY MUST (cACertificate $ certificateRevocationList $ authorityRevocationList) MAY crossCertificatePair )
....

Attributes for LDAP Server Configuration

Attributes for LDAP server configuration are attributes of the LDAP configuration subentry with the default name /CN=ldapConfiguration. Several LDAP configuration subentries may be present within the same database with unique common names. Specify the Common Name of the LDAP configuration subentry of the first / default LDAP server to be started in the environment variable DIRX_DEFAULT_LDAP_SERVER; if not, the default LDAP configuration subentry with the name ldapConfiguration should be used.

Run the script ldap_admin.cp (using dirxcp) to create a default LDAP configuration subentry that specifies default values for the DirX Directory LDAP server. Use the dirxcp obj operations to modify the attributes of the default LDAP configuration subentry or to create new LDAP configuration subentries. Like all other subentries, it cannot be created via LDAP. However, it can be modified via LDAP.

Modifications of an LDAP configuration subentry become effective after a restart of the LDAP server. (See the dirxadm ldap restart operation in the DirX Directory Administration Reference for details.)

The attributes of the LDAP configuration subentry

  • specify the service controls that the LDAP server uses when sending an operation to the DSA (LDAP Search Service Controls, LDAP Compare Service Controls, LDAP Add Service Controls, LDAP Remove Service Controls, LDAP Modify Service Controls, LDAP Modify DN Service Controls).

  • control the options of an LDAP search request:

    • the maximum number of requested attributes (LDAP Maximum Requested Attributes)

    • the maximum number of filter items (LDAP Maximum Filter Items)

  • control connection handling:

    • the TCP port number (LDAP Port Number)

    • the secure port number (LDAP Secure Port Number)

    • the name of the SSL configuration subentry (LDAP SSL configuration subentry CN)

    • whether or not clients can switch from a normal (plain) LDAP bind to a secure LDAP bind (LDAP Start TLS Enabled)

    • the maximum number of simultaneous connections (LDAP Anonymous Connections)

    • the number of simultaneous anonymous connections (LDAP Anonym DAP Pool Size)

    • the number of seconds that an idle client connection remains open (LDAP Connection Idle Time)

    • the number of seconds that an authenticated connection remains open after the last performed unbind (LDAP Unbind Delay Time)

    • whether clients can share the same connection (LDAP Backend Sharing, LDAP Maximum Share Count)

    • whether the LDAP server grants or denies access to clients with a specific IP address or distinguished name, or denies anonymous or authenticated access (LDAP Allow IP List, LDAP Deny IP List, LDAP Allowed Users List, LDAP Allowed Groups, LDAP Denied Users List, LDAP Denied Groups, LDAP Deny Anonymous Access, LDAP Only Allow Anonymous Access)

    • policies for users (LDAP User Policies) or groups (LDAP Group Policies)

    • whether clients can bind to the LDAP server only over a specific IP address (LDAP Listen IP List)

  • control the encoding and conversion of attributes (LDAP ASN1 Header, LDAP Charset Conv Request, LDAP Charset Conv Result).

  • control the operations that the LDAP server is willing to perform (LDAP Read Only Server).

  • control the thread pool size (LDAP Thread Pool Size).

  • control the LDAP flow to avoid capacity overload over the socket layer:

    • the TCP keep alive (LDAP Socket Keep Alive)

    • the use of non-blocking sockets (LDAP Asynchronous Sockets)

    • the maximum timeout for send and receive operation calls (LDAP Max Send Timeout, LDAP Max Recv Timeout)

    • the maximum number of incomplete operations per connection (LDAP Max Incomplete Ops per Connection)

    • the operation stack size limit (LDAP Op Stack Limit)

    • the number of overflow threads (LDAP Overflow Threads)

  • control the LDAP cache:

    • enable or disable the LDAP cache (LDAP Cache)

    • control the storage of search results (LDAP Cache Max Cached Elements, LDAP Cache Maximum Memory Size, LDAP Cache Min Cache Time, LDAP Cache Max Cache Time, LDAP Cache Min Cache Entries, LDAP Cache Max Cache Entries, LDAP Cache Min Attributes, LDAP Cache Max Attributes, LDAP Cache Min Values, LDAP Cache Max Values, LDAP Cache Table Size, LDAP Cache Update Strategy)

  • specify the name of the LDAP audit configuration subentry (LDAP Audit Configuration Subentry CN).

  • control the accessibility of LDAP extended operations:

    • specify the users and groups that can perform LDAP extended operations (LDAP Extended Operation Admins, LDAP Extended Operation Read Users, LDAP Extended Operations Execute Users, LDAP Extended Operations Monitoring Users, LDAP Extended Operation Admin Groups, LDAP Extended Operation Read Groups, LDAP Extended Operations Execute Groups, LDAP Extended Operations Monitoring Groups)

    • specify the LDAP extended read, execute and monitoring operations (LDAP Extended Read Operations, LDAP Extended Execute Operations, LDAP Extended Monitoring Operations)

The following sections provide information about these attributes.

LDAP Search Service Controls

The LDAP Search Service Controls attribute specifies the service controls that apply to the search operation. This attribute is an optional, single-valued attribute. Specify the value in the following format:

PreferChaining=Flag:ChainingProhibited=Flag:LocalScope=Flag:DontUseCopy=Flag:
DontDereferenceAlias=Flag:Subentries=Flag:CopyShallDo=Flag:Priority=Integer:
_TimeLimit=_Integer:SizeLimit=Integer:ScopeOfReferral=Integer:AttributeSizeLimit=Integer

where:

PreferChaining=Flag

indicates whether chaining is preferred, rather than referrals. Specify T (true - indicates to prefer chaining) or F (false - indicates to prefer referrals). The default value is T (prefer chaining).

ChainingProhibited=Flag

indicates whether chaining and other methods of distributing the request around the Directory are prohibited. Specify T (true - indicates to prohibit chaining) or F (false - indicates to permit chaining). The default value is F (permit chaining).

LocalScope=Flag

indicates whether the operation is to be limited to a local scope as specified in the Local Scope Policy. (See Local Scope Policy attribute and Local Scope Policy Syntax for details.) Specify T (true - indicates limitation to a local scope) or F (false - indicates no limitation to a local scope). The default value is F (no limitation to a local scope).

DontUseCopy=Flag

indicates whether copied (shadowed) information shall not be used to provide the service. Specify T (true - indicates not to use copies) or F (false - indicates to use copies). The default value is T (not to use copies) and F (to use copies) for LDAP Search and Compare Service Controls attributes.

DontDereferenceAlias=Flag

indicates whether an alias entry used to identify the entry affected by an operation is not to be dereferenced. This is necessary to refer to an alias entry itself rather than the aliased entry. In modify operations, alias dereferencing is not supported. Specify F (false - indicates to dereference aliases) or T (true - indicates not to dereference aliases). The default value is F (dereference aliases).

Subentries=Flag

indicates whether a search or list operation returns only subentries and normal entries become inaccessible. Specify T (true - indicates to return only subentries) or F (false - indicates to return only normal entries). The default value is F (return only normal entries).

CopyShallDo=Flag

indicates, when an operation is able to partly but not fully satisfy a query at a copied (shadowed) information of an entry, whether it need not chain the query. This service control is meaningful only if DontUseCopy=F. Specify T (true - indicates to permit operations that do not fully satisfy a query with shadowed information) or F (false - indicates to prohibit operations that do not completely satisfy a query with shadowed information and to chain the query).

The default value is F (partial results using copied information are prohibited) except for LDAP Search and Compare Service Controls attributes. There the default value is T (partial results using copied information are permitted).

Priority=Integer

specifies the priority at which the service is to be provided. Specify one of the following values:

  • 0 - indicates low priority.

  • 1 - indicates medium priority.

  • 2 - indicates high priority.

The default value is 1 (medium).

TimeLimit=Integer

specifies the maximum elapsed time in seconds for completion of an operation. Specify a non-negative integer. A value of 0 (zero) indicates no time limit. The default value is 0.

SizeLimit=Integer

specifies the maximum number of objects returned for a list or search operation. Specify a non-negative integer. A value of 0 (zero) indicates no size limit. The default value is 0.

ScopeOfReferral=Integer

specifies the scope to which a referral returned by a DSA should be relevant. Specify one of the following values:

  • 0 - indicates DMD (Directory Management Domain).

  • 1 - indicates Country.

  • 2 - indicates Unlimited.

The default value is 2 (no limitation).

AttributeSizeLimit=Integer

specifies the maximum size (in octets) of any attribute (the type and all its values) to be returned. If an attribute exceeds this limit, all of its values are omitted. Specify a non-negative integer. A value of 0 (zero) indicates no size limit. The default value is 0.

Abbreviation

LSES

LDAP Name(s)

ldapSearchSvcCtl

Syntax (DAP)

Directory-String {32768}

Example (DAP)
LSES={SizeLimit=11:ScopeOfReferral=1:PreferChaining=F}
Example (LDAP)
ldapSearchSvcCtl=SizeLimit=11:ScopeOfReferral=1:PreferChaining=F

LDAP Compare Service Controls

The LDAP Compare Service Controls attribute specifies the service controls that apply to the compare operation. This attribute is an optional, single-valued attribute. Specify the value in the same format as described for the LDAP Search Service Controls (see this section for details).

Abbreviation

LCOS

LDAP Name(s)

ldapCompareSvcCtl

Syntax (DAP)

Directory-String {32768}

Example (DAP)
LCOS={SizeLimit=11:ScopeOfReferral=1:PreferChaining=F}
Example (LDAP)
ldapCompareSvcCtl=SizeLimit=11:ScopeOfReferral=1:PreferChaining=F

LDAP Add Service Controls

The LDAP Add Service Controls attribute specifies the service controls that apply to the create operation. This attribute is an optional, single-valued attribute. Specify the value in the same format as described for the LDAP Search Service Controls (see there for details).

Abbreviation

LADS

LDAP Name(s)

ldapAddSvcCtl

Syntax (DAP)

Directory-String {32768}

Example (DAP)
LADS={SizeLimit=11:ScopeOfReferral=1:PreferChaining=F}
Example (LDAP)
ldapAddSvcCtl=SizeLimit=11:ScopeOfReferral=1:PreferChaining=F

LDAP Remove Service Controls

The LDAP Remove Service Controls attribute specifies the service controls that apply to the remove/delete operation. This attribute is an optional, single-valued attribute. Specify the value in the same format as described for the LDAP Search Service Controls (see this section for details).

Abbreviation

LRES

LDAP Name(s)

ldapRemoveSvcCtl

Syntax (DAP)

Directory-String {32768}

Example (DAP)
LRES={SizeLimit=11:ScopeOfReferral=1:PreferChaining=F}
Example (LDAP)
ldapRemoveSvcCtl=SizeLimit=11:ScopeOfReferral=1:PreferChaining=F

LDAP Modify Service Controls

The LDAP Modify Service Controls attribute specifies the service controls that apply to the modify operation. This attribute is an optional, single-valued attribute. Specify the value in the same format as described for the LDAP Search Service Controls (see there for details).

Abbreviation

LMOS

LDAP Name(s)

ldapModifySvcCtl

Syntax (DAP)

Directory-String {32768}

Example (DAP)
LMOS={SizeLimit=11:ScopeOfReferral=1:PreferChaining=F}
Example (LDAP)
ldapModifySvcCtl=SizeLimit=11:ScopeOfReferral=1:PreferChaining=F

LDAP ModifyDN Service Controls

The LDAP ModifyDN Service Controls attribute specifies the service controls that apply to the modify DN operation. This attribute is an optional, single-valued attribute. Specify the value in the same format as described for the LDAP Search Service Controls (see there for details).

Abbreviation

LMDS

LDAP Name(s)

ldapModifyDNSvcCtl

Syntax (DAP)

Directory-String {32768}

Example (DAP)
LMDS={SizeLimit=11:ScopeOfReferral=1:PreferChaining=F}
Example (LDAP)
ldapModifyDNSvcCtl=SizeLimit=11:ScopeOfReferral=1:PreferChaining=F

LDAP Maximum Requested Attributes

The LDAP Maximum Requested Attributes attribute specifies the maximum number of requested attributes that a client is allowed to specify in an LDAP search request. This attribute is an optional, single-valued attribute.

Huge lists of requested attributes can significantly increase the request size, the audit record size and the processing time of an LDAP search operation. You can use this attribute to avoid these situations and to block malicious client applications. If a search request contains more than the specified maximum, the search is rejected with an administrative limit exceeded error code and a corresponding LDAP message.

If this attribute is not specified or has a value of 0, the default is to allow an unlimited number of requested attributes.

When specified in an LDAP search operation, the LDAP-defined abbreviations * (all user attributes) and + (all operational attributes) are treated as one requested attribute each.

Abbreviation

LMAXRA

LDAP Name(s)

ldapMaxReqAttrs

Syntax (DAP)

Integer

Example (DAP)
LMAXRA=100
Example (LDAP)
ldapMaxReqAttrs=100

LDAP Maximum Filter Items

The LDAP Maximum Filter Items attribute specifies the maximum number of filter Items that a client is allowed to specify in the filter of an LDAP search request. This attribute is an optional, single-valued attribute.

A huge number of filter items can significantly increase the request size, the audit record size and the processing time of an LDAP search operation. You can use this attribute to avoid these situations and to block malicious client applications. If a search request contains a filter expression with more than the specified number of filter items, the search is rejected with an administrative limit exceeded error code and a corresponding LDAP message.

If this attribute is not specified or has a value of 0, the default is to allow an unlimited number of filter items is.

Abbreviation

LMAXFI

LDAP Name(s)

ldapMaxFilterItems

Syntax (DAP)

Integer

Example (DAP)
LMAXFI=128
Example (LDAP)
ldapMaxFilterItems=128

LDAP Port Number

The LDAP Port Number attribute specifies the TCP port number on which the LDAP server is to listen. This attribute is an optional, single-valued attribute. The default value is 389.

Abbreviation

LPNU

LDAP Name(s)

ldapPortNumber

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style)

Example (DAP)
LPNU=6666
Example (LDAP)
ldapPortNumber=6666

LDAP Secure Port Number

The LDAP Secure Port Number attribute specifies the port number on which the LDAP server is to listen for Secure Socket Layer (SSL) secured LDAP protocol. A value of 0 indicates that SSL is disabled. To enable SSL, it is recommended to specify the value 636 because this is the standard port for SSL. This attribute is an optional, single-valued attribute. The default value is 0 (SSL is turned off).

When SSL is enabled, the LDAP server tries to read also the LDAP SSL configuration subentry. The distinguished name of the LDAP SSL configuration subentry is specified in the LDAP SSL Configuration Subentry attribute of the LDAP configuration subentry. (See also the sections LDAP SSL Configuration Subentry and Attributes for LDAP Server SSL Configuration.)

Abbreviation

LSPN

LDAP Name(s)

ldapSecurePortNumber

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style)

Example (DAP)
LSPN=636
Example (LDAP)
ldapSecurePortNumber=636

LDAP SSL Configuration Subentry CN

The LDAP SSL Configuration Subentry CN attribute specifies the common name attribute of the LDAP SSL configuration subentry. This attribute is an optional single-valued attribute. When this attribute is omitted the LDAP server reads the LDAP SSL configuration subentry with the default common name value LdapSSLConfiguration.

Abbreviation

LSCCN

LDAP Name(s)

ldapSSLCfgSubentryCN

Syntax (DAP)

Printable String

Syntax (LDAP)

Printable String (LDAP style)

Example (DAP)
LSCCN={LDAPSSLConfigurationSubentry}
Do not specify the ‘CN’ attribute type in the value!
Example (LDAP)
ldapSSLCfgSubentryCN=LDAPSSLConfigurationSubentry
Do not specify the ‘cn’ attribute type in the value!

LDAP Start TLS Enabled

The LDAP Start TLS Enabled attribute specifies whether or not the LDAP extended operation startTLS is allowed. This operation allows a client to turn on the SSL/TLS security layer for an LDAP connection that was created as a normal (plain) LDAPv3 connection. See also the section DirX Directory Commands obj (dirxcp) in the DirX Directory Administration Reference.

A value of 1 means that the DirX Directory LDAP server accepts a startTLS extended operation. A value of 0 means that startTLS is disabled in the configuration.

Note that you are allowed to enable the startTLS operation even though the LDAP server does not provide secure access via the Secure LDAP Port (LDAPS); that is, the LDAP Start TLS Enabled attribute can be set to 1, while the LDAP Secure Port Number can be set to 0.

Note also that a client does not need to have the permission to run LDAP extended operations (via the LDAP Extended Operation Admins attribute) in order to perform the startTLS operation. If LDAP Start TLS Enabled is set to 1, all clients are allowed to perform the startTLS operation.

If the LDAP Start TLS Enabled attribute is set to 1, the LDAP server tries to read the LDAP SSL configuration subentry at startup. As a result, the appropriate SSL key material must be provided.

Abbreviation

LSTEN

LDAP Name(s)

ldapStartTLSenabled

Syntax (DAP)

Integer

Syntax (LDAP)

Integer (LDAP Style)

Example (DAP)
LSTEN=1
Example (LDAP)
ldapStartTLSenabled=0

LDAP Max Connections

The LDAP Max Connections attribute specifies the maximum number of simultaneous LDAP connections that the LDAP server supports. This attribute is an optional, single-valued attribute. The default value is 4000.

System resources, the value of this attribute, and the behavior concerning LDAP backend sharing determine the maximum number of simultaneous connections that can be established. See the section titled LDAP Backend Sharing for details.) The value of this attribute also includes the number of connections established for anonymous binds. (See the section titled LDAP Anonym DAP Pool Size for details.)

The system file descriptor limit must be set accordingly (ulimit) to support the configured value. On Windows systems, a value of 4000 is appropriate if the IDM stack is used. (See the environment variable DIRX_OWN_PSAP in the DirX Directory Administration Reference for information on how to enable the IDM stack.) On Linux systems, a value of 4000 is appropriate if the IDM stack is used and the file system descriptor limit is set to 8192 (ulimit -n 8192).

Abbreviation

LMCO

LDAP Name(s)

ldapMaxConnections

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style)

Example (DAP)
LMCO=124
Example (LDAP)
ldapMaxConnections=124

LDAP Anonym DAP Pool Size

The LDAP Anonym DAP Pool Size attribute is provided to configure the number of simultaneous DAP connections that the LDAP server establishes to the DSA for anonymous binds. Additionally the LDAP server establishes one DAP connection for internal operations. This attribute is an optional, single-valued attribute. The default value is 5.

Increasing the value of this attribute may result in improving the performance for anonymous binds. However the maximum number of connections established for authenticated binds decreases. The maximum number of simultaneous connections that can be established is determined by system resources, by the maximum number of connections specified in the LDAP Max Connections attribute, and by the behavior concerning LDAP Backend Sharing.

Modifications to this attribute become effective only after a restart of the LDAP server.

Abbreviation

LADPS

LDAP Name(s)

ldapAnonymDapPoolSize

Syntax (DAP)

Integer

Syntax (LDAP)

Integer-String (LDAP style)

Example (DAP)
LADPS=3
Example (LDAP)
ldapAnonymDapPoolSize=3

LDAP Connection Idle Time

The LDAP Connection Idle Time attribute specifies the number of seconds of client inactivity after which the LDAP server is to close an LDAP connection to an LDAP client. This attribute is an optional, single-valued attribute. The default value is 300 seconds.

Abbreviation

LCIT

LDAP Name(s)

ldapConnectionIdleTime

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style)

Example (DAP)
LCIT=600
Example (LDAP)
ldapConnectionIdleTime=600

LDAP Unbind Delay Time

By default, the LDAP server tries to share DAP backend connections among the same authenticated LDAP client connections; for example, two LDAP clients bound with the same credentials use the same DAP backend connection. The LDAP Unbind Delay Time attribute specifies whether authenticated DAP binds shall be kept for a certain time or shall be unbound immediately by the LDAP server if no references to a specific bind are present. This attribute is an optional, single-valued attribute. Specify one of the following values:

0 - close authenticated DAP connections immediately after the last LDAP client using that connection has unbound.

n>0 - keep authenticated DAP connections for at least n seconds after the last LDAP client using that connection has unbound.

The default value is 0.

The value of this attribute does not affect anonymous binds.

It is recommended to close all authenticated binds immediately at unbind time if password lockout policy (Password Lockout attribute of the password policy subentry) or password aging policy (Password Maximum Age attribute of the password policy subentry) is enabled, because existing binds are not closed automatically if accounts are locked out or passwords expire due to the password policy enabled. New performed binds using locked out accounts or expired passwords are accepted if an authenticated DAP connection using these credentials is already open. (See the section titled Attributes of the Password Policy Subentry for details.)

Abbreviation

LUDT

LDAP Name(s)

ldapUnbindDelayTime

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style)

Example (DAP)
LUDT=60
Example (LDAP)
ldapUnbindDelayTime=60

LDAP Backend Sharing

The LDAP Backend Sharing attribute type specifies whether

  • Clients with the same credentials share the same DAP connection and

  • Newly performed binds with existing credentials are accepted as long as at least one bind with these credentials exists. These binds are accepted even though the password has been modified and the client uses the old password.

or

  • Clients with the same credentials do not share the same DAP connection and

  • Newly performed binds are rejected if the client uses a password that has been changed while other clients are still bound with this password.

Note that binds exist until an unbind operation is performed or when there has been no operation performed for a specific time. (See the LDAP Connection Idle Time and the LDAP Unbind Delay Time attribute sections in this chapter for details.) Existing binds are not aborted when the password is modified.

Specify one of the following values:

TRUE - Newly performed binds using the old password are accepted as long at least one bind with the old password exists. Clients with identical credentials share the same connection.

FALSE - Newly performed binds using the old password are rejected. Each client uses its own connection. Note that this increases the use of system resources.

The default value is TRUE.

The value of this attribute does not affect anonymous binds.

It is recommended to disable backend sharing if the password lockout policy (Password Lockout attribute of the password policy subentry) or the password aging policy (Password Maximum Age attribute of the password policy subentry) are enabled because there is no automatic disabling of backend sharing if accounts are locked out or passwords expire due to the enabled password policy. New performed binds using locked-out accounts or expired passwords are accepted if an authenticated DAP connection using these credentials is already open. (See the section titled Attributes of the Password Policy Subentry for details.)

Abbreviation

LBS

LDAP Name(s)

ldapBackendSharing

Syntax (DAP)

Boolean

Syntax (LDAP)

Boolean (LDAP Style)

Example (DAP)
LBS=FALSE
Example (LDAP)
ldapBackendSharing=FALSE

LDAP Maximum DAP Share Count

The single-valued LDAP Maximum DAP Share Count attribute type specifies how many LDAP users can share the same DAP connection when they authenticate with the same credentials if LDAP backend sharing is enabled. (See the LDAP Backend Sharing attribute section of this chapter for details.)

The default value is 5. Using more DAP connections can increase the throughput but also increases the resource usage for file descriptors.

The value of this attribute does not affect anonymous binds.

The values of this attribute are also stored in the LDAP MIB static table. (See the ldap mib operation described in the DirX Directory Commands chapter and the LDAP MIB Static Table section in the LDAP MIB Tables appendix in the DirX Directory Administration Reference for details.)

Abbreviation

LMDSC

LDAP Name(s)

ldapMaxDapShareCount

Syntax (DAP)

Inetger

Syntax (LDAP)

Integer (LDAP Style)

Example (DAP)
LMDSC=10
Example (LDAP)
ldapMaxDapShareCount=8

LDAP Allow IP List

The LDAP server grants access to clients by evaluating the LDAP Allow IP List attribute. If the IP address of the client matches a value in the LDAP Allow IP List attribute the LDAP server grants access to the client. If the client’s IP address also matches a value in LDAP Deny List attribute, the LDAP server denies access to the client. (A client’s IP address must match the allow list and must not match the deny list to get access.)

Specify the IP4 address values in the shortest dotted notation (no blanks or initial zeros allowed), for example 192.23.81.23 (and not 192.023.081.023 or 192. 23. 81. 23). Use the wildcard (*) character to specify subnets, for example 192.23.*.81 (all IP addresses from 192.23.0.81 through 192.23.255.81).

Use the value *.*.*.* or the keyword all to specify all possible IP addresses.

Use the value 0.0.0.0 or the keyword none to specify no IP address.

The default value is all.

The values of this attribute are also stored in the LDAP MIB static table. (See the ldap mib operation described in the DirX Directory Commands chapter and the LDAP MIB Static Table section in the LDAP MIB Tables appendix in the DirX Directory Administration Reference for details.)

See also section LDAP Deny IP List of this chapter.

Note that access is only granted to clients if both allow and deny list evaluation lead to a positive result for a given IP address. That is an IP address must be allowed and must not be denied to match the acceptance criteria.

Abbreviation

LAIP

LDAP Name(s)

ldapAllowIPList

Syntax (DAP)

Directory-String {32768}

Example (DAP)
{LAIP=123.23.81.23;130.*.*.*}
LAIP=all       All IP addresses are allowed.
LAIP=none      No IP address is allowed.
Example (LDAP)
{ldapAllowIPList=123.23.81.23;130.*.*.*}
ldapAllowIPList=all       All IP addresses are allowed.
ldapAllowIPList=none      No IP address is allowed.

LDAP Deny IP List

The LDAP server denies access to clients by evaluating the LDAP Deny IP List attribute. If the IP address of the client matches a value in the LDAP Deny IP List attribute the LDAP server denies access to the client.

Specify the IP4 address values in the shortest dotted notation, for example 192.23.81.23 (and not 192.023.081.023). Use the wildcard (*) character to specify subnets, for example 192.23.*.81 (that are all IP addresses from 192.23.0.81 through 192.23.255.81).

Use the value *.*.*.* or the keyword all to specify all possible IP addresses.

Use the value 0.0.0.0 or the keyword none to specify no IP address.

The default value is none.

The values of this attribute are also stored in the LDAP MIB static table. (See the ldap mib operation of the DirX Directory Commands chapter and the LDAP MIB Static Table section of the LDAP MIB Tables appendix in the DirX Directory Administration Reference for details.)

See also the section LDAP Allow IP List in this chapter.

Note that access is only granted to clients if both allow and deny list evaluation lead to a positive result for a given IP address; that is, an IP address must be allowed and must not be denied to match the acceptance criteria.

Abbreviation

LDIP

LDAP Name(s)

ldapDenyIPList

Syntax (DAP)

Directory-String {32768}

Example (DAP)
{LDIP=124.23.81.23;140.*.*.23}
LDIP=*.*.*.*   All IP addresses are denied.
LDIP=none      No IP address is denied.
Example (LDAP)
{ldapDenyIPList=124.23.81.23;140.*.*.23}
ldapDenyIPList=*.*.*.*   All IP addresses are denied.
ldapDenyIPList=none      No IP address is denied.

LDAP Allowed Users List

The LDAP server grants or denies access to clients by evaluating the multi-valued attributes LDAP Allowed Users List, LDAP Allowed Groups, LDAP Denied Users List and LDAP Denied Groups. If the DN of the client matches one of the values in the LDAP Allowed Users List attribute, the LDAP server grants access to the client. If the client’s DN also matches a value in the LDAP Denied Users List attribute, the LDAP server denies access to the client; that is, a user name must match the allow list and must not match the deny list to get access.

Specify the DN attribute values in LDAP format; for example, cn=Abele,ou=sales,o=my-company. (See the section Distinguished Names in the chapter DirX Directory String Representation for LDAP Binds for details.)

If a client binds via SASL with the EXTERNAL mechanism, the DN is taken from the user’s certificate subject field independent from the mapping method defined by the attribute LDAP SASL Authz Id Mapping. Specify the user’s subject DN in LDAP format; for example, uid=12345,givenName=Max Mustermann,o=my-company.

Use the keyword all to specify that all distinguished names get access.

Use the keyword none to specify that no distinguished name gets access.

The default value is all.

A DN matches if one of the values of the Allowed Users List attribute is contained in the given DN; that is, if the string from the attribute is part of the given user name. Specify the complete distinguished name of the root node of a subtree if you want to grant access to all users below this subtree node; for example, if you want to grant access to all employees of the sales department of your company, specify the value ou=sales,o=my-company.

The value(s) of this attribute are treated and compared as LDAP DNs by eliminating unspecific blanks and normalizing to lowercase; for example:

CN = Abele, O=My-Company is normalized to cn=abele,o=my-company

The value(s) of this attribute are also stored in the LDAP MIB static table. (See the ldap mib operation described in the DirX Directory Commands chapter and the LDAP MIB Static Table section in the LDAP MIB Tables appendix in the DirX Directory Administration Reference for details.)

See also the sections LDAP Allowed Groups, LDAP Denied Users List and LDAP Denied Groups in this chapter.

Note that access is only granted to clients if both allow and deny list and groups evaluation lead to a positive result for a given DN; that is, a DN must be allowed and must not be denied to match the acceptance criteria.

Abbreviation

LAUSL

LDAP Name(s)

ldapAllowedUsers

Syntax (DAP)

Directory-String {32768}

Example (DAP)
{LAUSL=cn=admin,o=my-company;ou=sales,o=my-company}

The LDAP server grants access to the Administrator of My-Company (cn=admin,o=my-company) and to all employees of the Sales department (ou=sales,o=my-company).

LAUSL=all       Access is granted to all users (default).
LAUSL=none      No user can access the LDAP server. Only anonymous access is possible.
Example (LDAP)
{ldapAllowedUsers=cn=admin,o=my-company;ou=sales,o=my-company}
ldapAllowedUsers=all
ldapAllowedUsers=none

LDAP Allowed Groups

The LDAP server grants or denies access to clients by evaluating the multi-valued attributes LDAP Allowed Users List, LDAP Allowed Groups, LDAP Denied Users List and LDAP Denied Groups. The LDAP Allowed Groups attribute specifies the DNs of groups with the object class groupOfNames. The group members are treated in the same way as the DNs listed in the attribute LDAP Allowed Users List.

Specify the attribute values for the group names in LDAP format; for example, cn=validUserGroup,o=my-company. (See the section Distinguished Names in the chapter DirX Directory String Representation for LDAP Binds for details.)

If this attribute is not specified, no access restriction is applied to any user unless other access attributes are in effect.

The value(s) of this attribute are treated and compared as LDAP DNs by eliminating unspecific blanks and normalizing to lowercase; for example:

CN = Group1 , O=My-Company is normalized to cn=group1,o=my-company

The value(s) of this attribute are also stored in the LDAP MIB static table. (See the ldap mib operation described in the DirX Directory Commands chapter and the LDAP MIB Static Table section of the LDAP MIB Tables appendix in the DirX Directory Administration Reference for details.)

See also the sections LDAP Allowed Groups, LDAP Denied Users List and LDAP Denied Groups in this chapter.

Note that access is only granted to clients if both allow and deny list and groups evaluation lead to a positive result for a given DN; that is, a DN must be allowed and must not be denied to match the acceptance criteria.

Abbreviation

LAGRP

LDAP Name(s)

ldapAllowedGroups

Syntax (DAP)

Directory-String {32768}

Example (DAP)
{LAGRP=cn\=validUserGroup\,o\=my-company}

The LDAP server grants access to all members of the group (cn=validUserGroup,o=my-company).

Example (LDAP)
{ldapAllowedGroups=cn=validUserGroup,o=my-company}

LDAP Denied Users List

The LDAP server grants or denies access to clients by evaluating the multi-valued attributes LDAP Allowed Users List, LDAP Allowed Groups, LDAP Denied Users List and LDAP Denied Groups. If the DN of the client matches one of the values in the LDAP Denied Users List attribute, the LDAP server denies access to the client.

Specify the attribute values in LDAP format; for example, cn=Abele,ou=sales,o=my-company. (See the section Distinguished Names in the chapter DirX Directory String Representation for LDAP Binds for details.)

If a client binds via SASL with the EXTERNAL mechanism, the DN is taken from the user’s certificate subject field independent of the mapping method defined by the attribute LDAP SASL Authz Id Mapping. Specify the user’s subject DN in LDAP format; for example, uid=12345,givenName=Max Mustermann,o=my-company.

Use the keyword all to specify that the LDAP server denies access to all distinguished names.

Use the keyword none to specify that the LDAP server does not deny access to any distinguished name.

The default value is none.

A DN matches if one of the values of the Denied Users List attribute is contained in the given DN; that is, if the string from the attribute is part of the given user name. Specify the complete distinguished name of the root node of a subtree if you want to deny access to all users below this subtree node; for example, if you want to deny access to all employees of the development department of your company, specify the value ou=development,o=my-company.

The value(s) of this attribute are treated and compared as LDAP DNs by eliminating unspecific blanks and normalizing to lowercase, for example:

CN = Abele, O=My-Company is normalized to cn=abele,o=my-company

The value(s) of this attribute are also stored in the LDAP MIB static table. (See the ldap mib operation described in the DirX Directory Commands chapter and the LDAP MIB Static Table section in the LDAP MIB Tables appendix in the DirX Directory Administration Reference for details.)

See also the sections LDAP Allowed Users List, LDAP Allowed Groups and LDAP Denied Groups in this chapter.

Note that access is only granted to clients if both allow and deny list and groups evaluation lead to a positive result for a given DN; that is, a DN must be allowed and must not be denied to match the acceptance criteria.

Abbreviation

LDUSL

LDAP Name(s)

ldapDeniedUsers

Syntax (DAP)

Directory-String {32768}

Example (DAP)
{LDUSL=cn\=richter\,ou\=sales\,o\=my-company}

The LDAP server denies access to Mr. Richter an employee of the Sales department (cn=Richter,ou=sales,o=my-company).

LDUSL=all       No user can access the LDAP server. Only anonymous access is possible.
LDUSL=none      Access is granted to all users (default).
Example (LDAP)
{ldapDeniedUsers=cn=richter,ou=sales,o=my-company}
ldapDeniedUsers=all
ldapDeniedUsers=none

LDAP Denied Groups

The LDAP server grants or denies access to clients by evaluating the multi-valued attributes LDAP Allowed Users List, LDAP Allowed Groups, LDAP Denied Users List and LDAP Denied Groups. The LDAP Denied Groups attribute specifies the DNs of groups with the object class groupOfNames. The group members are treated in the same way as the DNs listed in the attribute LDAP Denied Users List.

Specify the attribute values for the group names in LDAP format; for example, cn=invalidUserGroup,o=my-company. (See the section Distinguished Names in the chapter DirX Directory String Representation for LDAP Binds for details.)

If this attribute is not specified, no access restriction is applied to any user unless other access attributes are in effect.

The value(s) of this attribute are treated and compared as LDAP DNs by eliminating unspecific blanks and normalizing to lowercase; for example:

CN = Group1 , O=My-Company is normalized to cn=group1,o=my-company

The value(s) of this attribute are also stored in the LDAP MIB static table. (See the ldap mib operation described in the DirX Directory Commands chapter and the LDAP MIB Static Table section in the LDAP MIB Tables appendix in the DirX Directory Administration Reference for details.)

See also the sections LDAP Allowed Groups, LDAP Denied Users List and LDAP Denied Groups in this chapter.

Note that access is only granted to clients if both allow and deny list and groups evaluation lead to a positive result for a given DN; that is, a DN must be allowed and must not be denied to match the acceptance criteria.

Abbreviation

LDGRP

LDAP Name(s)

ldapDeniedGroups

Syntax (DAP)

Directory-String {32768}

Example (DAP)
{LDGRP=cn\=GroupInvalidUsers\,o\=my-company}

The LDAP server denies access to all members of the group (cn=GroupInvalidUsers,o=my-company).

Example (LDAP)
{ldapDeniedGroups=cn=GroupInvalidUsers,o=my-company}

LDAP Deny Anonymous Access

The LDAP Deny Anonymous Access attribute specifies whether or not anonymous LDAP client binds are allowed. Especially in security environments, it might be useful to allow only authorized user access to the database.

This feature should not be used if you work with standard LDAP clients. It should only be used when you know that your clients are able to handle it correctly.

Specify one of the following values:

  • TRUE - The LDAP server rejects anonymous LDAP client binds. LDAP clients can only perform simple authenticated or SASL-authenticated binds. Note that this is not LDAPv3 conformant. (See the dirxcp obj bind operation of the of the DirX Directory Commands chapter in the DirX Directory Administration Reference for details.)

  • FALSE - The LDAP server accepts anonymous LDAP client binds.

The default value is FALSE (anonymous users are allowed).

Note that this attribute controls only the LDAP server and not the DSA and is independent of any user policy settings in the database.

Keep in mind that if the LDAP Deny Anonymous Access attribute is set to TRUE and the LDAP Only Allow Anonymous Access attribute is set to 1, no LDAP client is able to bind to the LDAP server.

Abbreviation

LDAA

LDAP Name(s)

ldapDenyAnonymousAccess

Syntax (DAP)

Boolean

Syntax (LDAP)

Boolean (LDAP Style)

Example (DAP)
LDAA=TRUE
Example (LDAP)
ldapDenyAnonymousAccess=TRUE

LDAP Only Allow Anonymous Access

The LDAP Only Allow Anonymous Access attribute specifies whether or not only anonymous LDAP client binds are allowed.

Specify one of the following values:

  • 1 - The LDAP server accepts only anonymous LDAP client binds. It rejects all authenticated LDAP client binds with the error code LDAP_INAPPROPRIATE_AUTH (48). It does not establish an anonymous bind automatically as RFC 2251 (and newer) requires. (See the dirxcp obj bind operation of the of the DirX Directory Commands chapter in the DirX Directory Administration Reference for details.)

  • 0 - The LDAP server accepts authenticated LDAP client binds.

The default value is 0.

Note that this attribute controls only the LDAP server and not the DSA and is independent of any user policy settings in the database.

Keep in mind that if the LDAP Only Allow Anonymous Access attribute is set to 1 and the LDAP Deny Anonymous Access attribute is set to TRUE, no LDAP client is able to bind to the LDAP server.

Abbreviation

LOAAL

LDAP Name(s)

ldapOnlyAnonymousAllowed

Syntax (DAP)

Integer

Syntax (LDAP)

Integer (LDAP Style)

Example (DAP)
LOAAL=1
Example (LDAP)
ldapDenyAnonymousAccess=1

LDAP User Policies

The LDAP User Policies attribute specifies policies that apply to a single user or a set of users. This attribute is an optional, multi-valued attribute. Specify the values in the following format:

Class=dn:CONLIMIT=Integer:SIZELIMIT=Integer:TIMELIMIT=Integer:
FORB_SB=dn:FORB_SB_SUB=dn:FORB_TGT=dn:FORB_TGT_SUB=dn:
REQUIRED_SB=dn:REQUIRED_SB_SUB=dn:
REQUIRED_TGT=dn:REQUIRED_TGT_SUB=dn:
MIN_SB_LEVEL=Integer:TLS_REQUIRED=Flag:
PRIO=Integer:INHERIT=Flag:DISCLOSE_VIOLATION=Flag:
QUOTA_MAX_OPS=IntervalUnitLimit:
QUOTQ_MAX_RES_BYTES= IntervalUnitLimit:
MUST_CONTACT_DSA=DSAname:PREF_CONTACT_DSA=DSAname

where:

Class=dn

specifies the user(s) for which the policies apply. Class is mandatory and must be the first assignment of the policies attribute. Specify one of the following keywords:

USER - specifies that the policies apply to a single user. dn specifies the full qualified user name in LDAP format; for example, USER=cn=admin,o=my-company. For details about distinguished names in LDAP format see the section Distinguished Names in the chapter DirX Directory String Representation for LDAP Binds.

For binds with SASL EXTERNAL authentication, specify dn in LDAP format; for example, USER=uid=12345,givenName=Max Mustermann,o=my-company. For details about distinguished names in DAP format, see the section Distinguished Names in the chapter DirX Directory String Representation for LDAP Binds. If a client binds via SASL with the EXTERNAL mechanism, the DN is taken from the user’s certificate subject field independent of the mapping method defined by the attribute LDAP SASL Authz Id Mapping.

Instead of specifying a full qualified distinguished name, specify one of the following keywords:

  • anonymous - specifies that the policies apply to all users bound anonymously to the LDAP server; that is, to all users that performed an anonymous bind, to all LDAP clients that did not perform a bind, or to users that performed a bind with an invalid credentials error code.

  • all - specifies that the policies apply to all users. If there are multiple policies, the user policies for all have the lowest priority. Anonymous users belong to all if there are no policies for anonymous.

The class USER cannot be overruled by policies of any other class. It is only allowed for the LDAP User Policies attribute.

SUBUSER - specifies that the policies apply to all users below a node in the DIT. dn specifies the full qualified name in LDAP format of the node in the DIT in LDAP format; for example, SUBUSER=ou=sales,o=my-company.

Policies of the class SUBUSER are not applied to users bound with SASL EXTERNAL authentication.

The class SUBUSER is only allowed for the LDAP User Policies attribute.

WCUSER - specifies that dn represents a regular expression syntax string according to Linux/Perl standards. A colon (:) is not allowed in dn; for example, WCUSER=^cn=Digger.*.

If multiple WCUSER class policies match the same user, the policies with the highest priority apply. (See PRIO for details.) If multiple policies match the same user with the same priority, the LDAP server randomly selects the policies.

The class WCUSER is only allowed for the LDAP User Policies attribute.

GROUP - specifies that the policies apply to a group of users. dn specifies the full qualified name in LDAP format of an entry with object class groupOfNames (GON); for example, GROUP=cn=my-group,o=my-company. If a user is member of several groups, the policies with the highest priority apply. (See PRIO for details.) If the priority is also the same, the LDAP server randomly selects the policies.

The class GROUP is only allowed for the LDAP Group Policies attribute.

CONLIMIT=Integer

specifies the maximum number of concurrent LDAP connections a user can open. Specify a positive integer; for example, CONLIMIT=5. Only one CONLIMIT value can be specified.

SIZELIMIT=Integer

specifies the maximum number of objects returned for a list or search operation. Specify a positive integer; for example, SIZELIMIT=100. Only one SIZELIMIT value can be specified.

This value overrides the value of the LDAP Search Service Controls attribute. However, it cannot increase the size limit configured for the DSA.

TIMELIMIT=Integer

specifies the maximum elapsed time in seconds for completion of an operation. Specify a positive integer; for example, SIZELIMIT=10. Only one TIMELIMIT value can be specified.

This value overrides the value of the LDAP Search Service Controls attribute. However, it cannot increase the size limit configured for the DSA.

FORB_SB=dn

specifies a base object that is not allowed in search requests. dn is the full qualified distinguished name of a leaf or a node in the DIT in LDAP format; for example, FORB_SB=ou=finance,o=my-company. For details about distinguished names in LDAP format, see the section Distinguished Names in the chapter DirX Directory String Representation for LDAP Binds. Multiple FORB_SB assertions can be specified.

FORB_SB_SUB=dn

specifies the distinguished name of the base of a subtree that is not allowed in search requests. dn is the full qualified distinguished name a node in the DIT in LDAP format; for example, FORB_SB_SUB=o=my-company. For details about distinguished names in LDAP format, see the section Distinguished Names in the chapter DirX Directory String Representation for LDAP Binds. Multiple FORB_SB_SUB assertions can be specified.

FORB_TGT=dn

specifies an entry that is not allowed in update operations. dn is the full qualified distinguished name of a leaf or a node in the DIT in LDAP format; for example, FORB_TGT=cn=smith,ou=finance,o=my-company. For details about distinguished names in LDAP format, see the section Distinguished Names in the chapter DirX Directory String Representation for LDAP Binds. Multiple FORB_TGT assertions can be specified.

FORB_TGT_SUB=dn

specifies the distinguished name of the base of a subtree that is not allowed in update operations. dn is the full qualified distinguished name a node in the DIT in LDAP format; for example, FORB_TGT_SUB=ou=finance,o=my-company. For details about distinguished names in LDAP format, see the section Distinguished Names in the chapter DirX Directory String Representation for LDAP Binds. Multiple FORB_TGT_SUB assertions can be specified.

REQUIRED_SB=dn

specifies a base object that is allowed in search requests. Subordinate dns are not included. dn is the full qualified distinguished name of a leaf or a node in the DIT in LDAP format; for example, REQUIRED_SB=ou=finance,o=my-company. For details about distinguished names in LDAP format, see the section Distinguished Names in the chapter DirX Directory String Representation for LDAP Binds. Multiple REQUIRED_SB assertions can be specified.

REQUIRED_SB_SUB=dn

specifies the distinguished name of the base of a subtree that is allowed in search requests. dn is the full qualified distinguished name a node in the DIT in LDAP format; for example, REQUIRED_SB_SUB=o=my-company. For details about distinguished names in LDAP format, see the section Distinguished Names in the chapter DirX Directory String Representation for LDAP Binds. Multiple REQUIRED_SB_SUB assertions can be specified.

REQUIRED_TGT=dn

specifies an entry that is allowed in update operations. dn is the full qualified distinguished name of a leaf or a node in the DIT in LDAP format; for example, REQUIRED_TGT=cn=smith,ou=finance,o=my-company. For details about distinguished names in LDAP format, see the section Distinguished Names in the chapter DirX Directory String Representation for LDAP Binds. Multiple REQUIRED_TGT assertions can be specified.

REQUIRED_TGT_SUB=dn

specifies the distinguished name of the base of a subtree that is allowed in update operations. dn is the full qualified distinguished name a node in the DIT in LDAP format; for example, REQUIRED_TGT_SUB=ou=finance,o=my-company. For details about distinguished names in LDAP format, see the section Distinguished Names in the chapter DirX Directory String Representation for LDAP Binds. Multiple REQUIRED_TGT_SUB assertions can be specified.

MIN_SB_LEVEL=Integer

specifies the minimum level starting at the root object at which a base object must exist for a search request. Specify a positive integer; for example, MIN_SB_LEVEL=3. Only one MIN_SB_LEVEL value can be specified.

TLS_REQUIRED=Flag

indicates whether or not a bind over SSL/TLS is required. Specify 1 (true - indicates that a bind over SSL/TLS is required) or 0 (false - indicates that no bind over SSL/TLS is required). The default value is TLS_REQUIRED=0 (any bind is allowed). Only one TLS_REQUIRED flag can be specified.

PRIO=Integer

specifies the priority of policies in the same class. Specify a positive integer. The highest priority is 0. The default priority is PRIO=1. The lower the priority value, the higher is the priority. Only one PRIO value can be specified.

If there are multiple policies for the same user, the policies with the highest priority (the lowest priority value) apply.

If there are multiple policies for the same user with the same priority, the first policies found apply. It is not predictable which policies are the first ones found.

INHERIT=Flag

indicates whether or not policies are inherited. Specify INHERIT=1 (true - indicates that policies are inherited) or INHERIT=0 (false - indicates that policies are not inherited). The default value is 0 (policies are not inherited). This flag can only be specified for the USER=all class policies. Only one INHERITED flag can be specified.

DISCLOSE_VIOLATION=Flag

indicates whether or not detailed information about the specified limit is provided in the error message if the limit is exceeded. Specify DISCLOSE_VIOLATION=1 (true - indicates that detailed information is provided) or DISCLOSE_VIOLATION=0 (false - indicates that no detailed information is provided). The default value is 1 (detailed information is provided). This flag affects violations of CONLIMIT, QUOTA_MAXOPS and QUOTA_MAX_RES_BYTES. Only one DISCLOSE_VIOLATION flag can be specified.

QUOTA_MAX_OPS=IntervalUnitLimit

specifies the maximum number of operations that a user is allowed to perform in the specified time interval. Specify QUOTA_MAX_OPS in the format IntervalUnitLimit

where

Interval

is a positive integer.

Unit

is one of the following characters:

  • s for seconds

  • m for minutes

  • h for hours

  • d for days

Limit

is a positive integer specifying the maximum number of operations. The operations abandon and unbind do not increase the number of operations.

Only one QUOTA_MAX_OPS assertion can be specified.
Example: QUOTA_MAX_OPS=24h1000

QUOTA_MAX_RES_BYTES=IntervalUnitLimit

specifies the maximum number of bytes that a user is allowed to receive from search operations in the specified time interval. Specify QUOTA_MAX_RES_BYTES in the format IntervalUnitLimit

where

Interval

is a positive integer.

Unit

is one of the following characters:

  • s for seconds

  • m for minutes

  • h for hours

  • d for days

Limit

is a positive integer specifying the maximum number of bytes.

Only one QUOTA_MAX_RES_BYTES assertion can be specified.
Example: QUOTA_MAX_RES_BYTES=3600s1000000

MUST_CONTACT_DSA=DSAname

specifies the DSA that must be contacted in a multiple contact DSA configuration. (See Using Multiple Contact DSAs in the DirX Directory Administration Guide for details.) DSAname is the name of the DSA as specified in the LDAP server configuration file; for example, MUST_CONTACT_DSA=/CN=DSA1. (See LDAP Server Configuration File in the DirX Directory Administration Reference for details.)

If the MUST_CONTACT_DSA is not available and no PREF_CONTACT_DSA is specified, the operation fails.

If the MUST_CONTACT_DSA is not available and a PREF_CONTACT_DSA is specified, the LDAP server continues with contacting the PREF_CONTACT_DSA.

If the PREF_CONTACT_DSA is also unavailable, the LDAP server starts a round-robin selection to contact a DSA.

Only one MUST_CONTACT_DSA can be specified.

PREF_CONTACT_DSA=DSAname

specifies the DSA that is preferred to be contacted in a multiple contact DSA configuration. (See Using Multiple Contact DSAs in the DirX Directory Administration Guide for details.) DSAname is the name of the DSA as specified in the LDAP server configuration file; for example, PREF_CONTACT_DSA=/CN=DSA3. (See LDAP Server Configuration File in the DirX Directory Administration Reference for details.)

If the PREF_CONTACT_DSA is unavailable, the LDAP server starts a round-robin selection to contact a DSA.

Only one PREF_CONTACT_DSA can be specified.

The LDAP server reads the policies attributes at start-up. The policies attributes can be updated dynamically via LDAP extended operations (ldap_cfg_upd). (See Changing the LDAP Configuration in chapter Extending the DirX Directory Server in the DirX Directory Administration Guide for details.) When updating the policies attributes dynamically, the LDAP server keeps the old policies to avoid severe problems between old and new policies for a specific user. This operation can consume a lot of memory and performance. Consequently, we strongly recommended updating the policies only on demand and only if it is really necessary to avoid serious memory problems. If the LDAP server cannot update the policies attributes due to memory problems, the old policies remain in effect.

Use the CLASS property to specify the user or set of users to which the policy apply. CLASS is the only mandatory property. It must be specified as the first property of a policies value. All other properties are optional. They specify the rules that apply for the user(s) specified in CLASS.

Policies for a specific user can appear in several classes. The LDAP server follows the following strategy when evaluating user and group policies for a specific user:

  1. Search for a USER rule with the user’s dn.

  2. Search for a GROUP rule with the user’s dn as member of the group.

  3. Search for a WCUSER rule whose regular expression matches the user’s dn.

  4. Search for a SUBUSER rule that matches the parent of the user’s dn.

  5. Search for a USER rule with all as dn.

  6. If the LDAP server does not find a rule in steps 1 through 5, no rules apply to the user.

The LDAP server stops evaluating the user policies for a specific user when it finds a rule while performing steps 1 through 5. You can control the priority of rules by specifying the PRIO property for a rule.

If a user or group policy is exceeded, the LDAP server returns an unwilling to perform error together with detailed information about the exceeded policy. You can hide the detailed information about the exceeded policy by specifying the DISCLOSE_VIOLATION flag.

The LDAP audit log file provides an overview on the number of rules specified.

The LDAP server writes a log file in readable format every time it reads the policies attributes either at start-up or when updating the policies dynamically. The name of the log file is LUP_*pid_counter.txt*, where pid is the PID of the LDAP server process and counter is an integer starting with 1. The counter is incremented by 1 each time the LDAP server reads the policies attributes and writes the log file. The log file is located at install_path*/ldap/log*. The format of the file is identical to the output of the LDAP extended operation ldap_show_policy_rules.

Abbreviation

LUSP

LDAP Name(s)

ldapUserPolicies

Syntax (DAP)

Directory-String {32768}

Example (DAP)
LUSP=SUBUSER\=ou\=Development\,o\=My-Company:CONNLIMIT\=10:PRIO\=1:SIZELIMIT\=1555:QUOTA_MAX_OPS\=2s10:TLS_REQUIRED\=1:DISCLOSE_VIOLATION\=1:FORB_SB\=ou\=Development\,o\=My-Company;USER\=anonymous:CONNLIMIT\=5:SIZELIMIT\=2000:QUOTA_MAX_OPS\=5m100:TLS_REQUIRED\=0:DISCLOSE_VIOLATION\=0:FORB_TGT\=cn\=admin\o\=My-Company;USER\=cn\=emil\,ou\=CertTest\,o\=My-Company:PRIO\=1:SIZELIMIT\=10:TIMELIMIT\=1:TLS_REQUIRED\=1:DISCLOSE_VIOLATION\=0
Example (LDAP)
ldapUserPolicies=SUBUSER=ou=Development,o=My-Company:CONNLIMIT=10:SIZELIMIT=100000:QUOTA_MAX_RES_BYTES=30s100000:TLS_REQUIRED=0:DISCLOSE_VIOLATION=0:FORB_SB=ou=hb,o=My-Company;USER=anonymous:CONNLIMIT=5:SIZELIMIT=2000:QUOTA_MAX_OPS=5m100:TLS_REQUIRED=0:DISCLOSE_VIOLATION=0:FORB_TGT=cn=admin,o=My-Company;USER=cn=emil,ou=CertTest,o=My-Company:PRIO=1:SIZELIMIT=10:TIMELIMIT=1:TLS_REQUIRED=1:DISCLOSE_VIOLATION=0;WCUSER=*admin*:CONNLIMIT=100:PRIO=0:SIZELIMIT=1000000:TLS_REQUIRED=0:DISCLOSE_VIOLATION=0

LDAP Group Policies

The LDAP Group Policies attribute specifies policies that apply to a group of users. This attribute is an optional, multi-valued attribute. Specify the value in the same format as described for the LDAP User Policies (see that section for details).

The LDAP Group Policies attribute can only be specified for groups with a maximum of one million members. The LDAP server discards groups with more than one million members.

See LDAP User Policies for detailed information about processing the LDAP User Policies and LDAP Group policies attributes.

Abbreviation

LGRP

LDAP Name(s)

ldapGroupPolicies

Syntax (DAP)

Directory-String {32768}

Example (DAP)
LGRP={GROUP\=cn\=allE\,o\=My-Company:CONNLIMIT\=10:PRIO\=1:SIZELIMIT\=200:
MIN_SB_LEVEL\=2:TLS_REQUIRED\=0:DISCLOSE_VIOLATION\=0}
Example (LDAP)
ldapGroupPolicies=GROUP=cn=allE,o=My-Company:CONNLIMIT=10:PRIO=1:
SIZELIMIT=200:MIN_S_LEVEL=2:TLS_REQUIRED=0:DISCLOSE_VIOLATION=0

LDAP Listen IP List

The LDAP Listen IP List attribute specifies exactly one IP address over which clients can bind to the LDAP server.

By default, the LDAP server establishes its ports (plain and SSL) for any available IP address of the host; that is, clients can bind to the LDAP server over all available IP addresses. An administrator, however, may want to restrict remote binds to only one IP address, for example, due to security issues.

Specify the IP4 address value in the shortest dotted notation, for example 192.23.81.23 (and not 192.023.081.023).

Use the keyword all to specify all possible IP addresses. This is the default.

If an invalid IP address is specified, the LDAP server does not start.

If the local loop back address 127.0.0.1 is specified, only local clients can access the LDAP server. This may be useful for administrative tasks.

The value of the LDAP Listen IP List attribute has no effect on RPC or the OSI/IDM connections of the LDAP server to the DSA. These ports are bound to all available IP addresses.

Abbreviation

LLIPL

LDAP Name(s)

ldapListenIPList

Syntax (DAP)

Directory String

Syntax (LDAP)

Directory String (LDAP Style)

Example (DAP)
LLIPL=192.10.11.12
Example (LDAP)
ldapListenIPList=192.10.11.12

LDAP ASN1 Header

The LDAP ASN1 Header attribute specifies whether X.509 attributes are returned in binary ASN1 encoding (value: FALSE) or in “{ASN}<hexdump of asn1 encoding>” format (value: TRUE).This format applies only to LDAP v2 accesses.This attribute is an optional, single-valued attribute.The default value is FALSE (X.509 attributes are returned as binary in LDAP v2 results).

Abbreviation

LAHE

LDAP Name(s)

ldapASN1Header

Syntax (DAP)

Boolean

Syntax (LDAP)

Boolean (LDAP Style)

Example (DAP)
LAHE=TRUE
Example (LDAP)
ldapASN1Header=TRUE

LDAP Charset Conv Request

The LDAP Charset Conv Request attribute specifies the representation of string attributes that the LDAP server expects for string values in LDAP requests. This format applies only to LDAPv2 directory access operations. This attribute is an optional, single-valued attribute. In LDAPv3, strings are always represented in UTF-8 format. Specify one of the following values:

  • LATIN1 - all strings are represented as specified in ISO8859-1.

  • UTF8 - all strings are represented in UTF-8 format.

  • T61 - all strings are represented in T61 format.

The default value is UTF8.

Abbreviation

LCCQ

LDAP Name(s)

ldapCharsetConvRequest

Syntax (DAP)

Directory String {32768}

Example (DAP)
LCCQ=T61
Example (LDAP)
ldapCharsetConvRequest=T61

LDAP Charset Conv Result

The LDAP Charset Conv Result attribute specifies the conversion of string attributes that the LDAP server performs for LDAP search results. This format applies only to LDAPv2 directory access operations. This attribute is an optional, single-valued attribute. In LDAPv3, strings are always represented in UTF-8 format. Specify one of the following values:

  • LATIN1 - all strings are converted as specified in ISO8859-1.

  • UTF8 - all strings are converted in UTF-8 format.

  • T61 - all strings are converted in T61 format.

The default value is UTF8.

The following table shows the impact of this attribute value on the representation of string values in the LDAP v2 protocol.

Attribute value syntax in
DIR.X DSA		 Value of
LDAP Charset Conv Result		 String representation in LDAPv2

Printable String

T61 String

Printable String

T61 String

T61 String

T61 String

BMP String

T61 String

T61 String

Printable String

LATIN1

Printable String

T61 String

LATIN1

ISO8859-1

BMP String

LATIN1

ISO8859-1

Printable String

UTF8

Printable String

T61 String

UTF8

UTF8

BMP String

UTF8

UTF8
Abbreviation

LCCS

LDAP Name(s)

ldapCharsetConvResult

Syntax (DAP)

Directory String {32768}

Example (DAP)
LCCS=LATIN1
Example (LDAP)
ldapCharsetConvResult=LATIN1

LDAP Read Only Server

The LDAP Read Only Server attribute specifies whether the LDAP server allows update operations (add, delete, modify and moddn) (value: FALSE) or not (value: TRUE). When this attribute is set to the value TRUE, update operations are rejected with the error Administrative Limit Exceeded. The default value is FALSE (update operations permitted).

Abbreviation

LROS

LDAP Name(s)

ldapReadOnlyServer

Syntax (DAP)

Boolean

Syntax (LDAP)

Boolean (LDAP Style)

Example (DAP)
LROS=TRUE
Example (LDAP)
ldapReadOnlyServer=TRUE

LDAP Thread Pool Size

The LDAP Thread Pool Size attribute specifies the maximum number of operation threads available to operate LDAP client requests in parallel. This pool size is static and cannot be modified without restarting the server.

The value of this attribute does not limit the possible simultaneous connections or the possible simultaneous operations, but it can affect the LDAP server performance and should therefore be chosen with care. The value to be used depends on the available system resources and the expected search profiles (big results or small results, LDAP cache on/off). Especially if the LDAP cache is enabled and provides a good hit rate, it might be possible to decrease the value. If the LDAP cache is disabled or most operations stress the backend with long-duration operations, the value can be increased to improve performance. If all pool threads are busy, further operations will be queued for processing.

If the value is set too high for your system, permanent re-scheduling of threads can occur, thereby lowering LDAP performance.

The default value of this attribute is 32.

Abbreviation

LTPS

LDAP Name(s)

ldapThreadPoolSize

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style)

Example (DAP)
LTPS=24
Example (LDAP)
ldapThreadPoolSize=24

LDAP Socket Keep Alive

The LDAP Socket Keep Alive attribute specifies whether the TCP keep-alive feature is enabled for all LDAP server connections (value 1) or not (value 0). The default value of this attribute is that the feature is enabled (1).

If the TCP keep-alive feature is enabled, the LDAP server requests TCP to verify whether an idle connection is still intact by sending keep-alive packets. In the event that a connection is no longer intact (for example, the LAN cable is no longer connected) or a remote client has not properly closed the connection, TCP aborts this connection.

The system administrator must set the timings and intervals for this mechanism to reasonable values. (See the section Enabling KEEPALIVE Time/Interval in the Environment Variables chapter in the DirX Directory Administration Reference for details.)

Abbreviation

LSOKA

LDAP Name(s)

ldapSockKeepAlive

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style)

Example (DAP)
LSOKA=0
Example (LDAP)
ldapSockKeepAlive=0

LDAP Asynchronous Sockets

The LDAP Asynchronous Sockets attribute specifies whether the LDAP server performs non-blocking socket interface operations (value 1) or not (value 0). The default value is 1 (perform non-blocking operations).

When an LDAP client establishes a new connection, the LDAP server performs a socket interface accept operation that creates a new socket representing the TCP connection to the client. When the client and the server exchange data, the LDAP server performs send and receive operations. Usually the sockets are created in blocking mode; that is, all operations exchanging data block the connection until all data is processed (all data is copied to the TCP transport buffers). If, for example, a client stops collecting or sending data before the end of data has been reached, the socket is blocked forever. To avoid such a deadlock, the LDAP server should use non-blocking sockets.

Using non-blocking sockets may be a bit slower than using blocking sockets because a single blocking send / receive operation may result in multiple send / receive operations.

Abbreviation

LASYS

LDAP Name(s)

ldapAsyncSockets

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style)

Example (DAP)
LASYS=0
Example (LDAP)
ldapAsyncSockets=0

LDAP Max Send Timeout

The Max Send Timeout attribute specifies the maximum timeout value in seconds after which the LDAP server closes a non-responding connection and stops sending data. This attribute affects only non-blocking sockets. (See the LDAP Asynchronous Sockets attribute above for details.) The default value is 30 seconds.

In the event that there is no idle socket to send data, the non-blocking socket send operation returns an error indicating that the data cannot be sent. The LDAP server sets the time limit specified in the LDAP Max Send Timeout attribute for completing the intended send operation. If the time has elapsed and the data has not been sent, the LDAP server closes the connection without any further I/O. It writes an exception log indicating the timeout.

Usually the LDAP server sends PDUs in a single operation. However, for search results, it may perform several send operations. The LDAP server evaluates the timeout value for each operation. In the event of a timeout, the LDAP server aborts the current operation and all possible subsequent traffic for the given connection. Then the LDAP server closes the connection.

Abbreviation

LMSTI

LDAP Name(s)

ldapMaxSendTimeout

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style)

Example (DAP)
LMSTI=40
Example (LDAP)
ldapMaxSendTimeout=40

LDAP Max Recv Timeout

The Max Recv Timeout attribute specifies the maximum timeout value in seconds after which the LDAP server closes a non-responding connection and stops receiving data. This attribute affects only non-blocking sockets. (See the LDAP Asynchronous Sockets attribute above for details.) The default value is 30 seconds.

In the event that there is no idle socket to receive data, the non-blocking socket receive operation returns an error indicating that the data cannot be received. The LDAP server sets the time limit specified in the LDAP Max Recv Timeout attribute for completing the intended receive operation. If the time has elapsed and the data has not been received, the LDAP server closes the connection without any further I/O. It writes an exception log indicating the timeout.

Usually the LDAP server receives PDUs in a single operation. However, for search results, it may perform several receive operations. The LDAP server evaluates the timeout value for each operation. In the event of a timeout, the LDAP server aborts the current operation and all possible subsequent traffic for the given connection. Then the LDAP server closes the connection.

Abbreviation

LMRTI

LDAP Name(s)

ldapMaxRecvTimeout

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style)

Example (DAP)
LMRTI=40
Example (LDAP)
ldapMaxRecvTimeout=40

LDAP Max Incomplete Operations Per Connection

The LDAP Max Incomplete Operations Per Connection attribute specifies the maximum number of incomplete operations per connection. By default, a client can send several requests without collecting the results. Such operations remain incomplete and increase the system load on the server side. Thus a single client may consume the entire system resources. To avoid such situations, it is possible to limit the number of incomplete operations per connection by specifying a value greater than 1 for this attribute.

If a client exceeds the maximum number of incomplete operations, the LDAP server rejects all new incoming requests from that client until the client finishes incomplete operations and the number of incomplete operations is lower than the specified limit.

A value greater than 0 limits the number of incomplete operations to this value.

A value of 1 enforces a synchronous client behavior; that is, the client must collect all results of an operation before it can send the next request.

A value of 0 disables this feature and specifies an unlimited number of incomplete operations; that is, the only limits are the system resources. This is the default value.

It is recommended to enable this feature only if there are problems with the default behavior.

Abbreviation

LMIOC

LDAP Name(s)

ldapMaxIncompleteOpsPerConn

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style)

Example (DAP)
LMIOC=8
Example (LDAP)
ldapMaxIncompleteOpsPerConn=8

LDAP OpStack Size Limit

The LDAP OpStack Size Limit attribute specifies the maximum number of operations that are accepted by the LDAP server. Whenever the listener thread of the LDAP server detects an activity on an existing connection, it creates a new operation and puts it onto an internal operation stack (OpStack) for subsequent processing by one of the pool threads. Usually there should be always a thread available to process the operation immediately. However, during system overload, all pool threads are busy, for example, due to long-lasting operations. In this case, the internal operation stack grows until the system resources are exhausted. To avoid exhausting system resources and long-lasting operations due to waiting time in the internal operation stack, it is recommended to limit the internal operation stack size.

The default value is 320; this is the tenfold default thread pool size. (See the LDAP Thread Pool Size attribute above for details.) A value of 0 is an unlimited number.

If the limit is exceeded, specific overflow threads process all incoming operations immediately by returning a busy error code (51). (See the LDAP Overflow Threads attribute description for details.)

Abbreviation

LOSLI

LDAP Name(s)

ldapOpStackLimit

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style)

Example (DAP)
LOSLI=200
Example (LDAP)
ldapOpStackLimit=200

LDAP Overflow Threads

The LDAP Overflow Threads attribute specifies the number of threads handling requests if the internal operation stack limit is exceeded. (See the LDAP OpStack Size Limit attribute above for details.) An overflow thread just returns the busy error code (51). This attribute has an effect only if the LDAP OpStack Size Limit attribute is greater than 0. In this case, there must be at least one overflow thread.

The default value is 1. The maximum value is the maximum number of pool threads. (See the LDAP Thread Pool Size attribute description for details.) The number of overflow threads decreases the maximum number of operation threads (LDAP Thread Pool Size).

Abbreviation

LOFTH

LDAP Name(s)

ldapOverFlowThreads

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style)

Example (DAP)
LOFTH=2
Example (LDAP)
ldapOverFlowThreads=2

LDAP Cache

The LDAP Cache attribute specifies whether the LDAP cache for LDAP search results is enabled. This mechanism can provide a dramatic performance increase if repeated LDAP search requests appear frequently, for the cost of extra memory.

If the value is TRUE, the LDAP cache is enabled; that is, an LDAP search result is retrieved in the LDAP cache first. An LDAP result is retrieved successfully in the LDAP cache when the very same user sends the identical search request several times.

LDAP search results are not stored in the LDAP cache when the following conditions apply:

  • The result has already been stored in the cache.

  • The request of a result contains controls (LDAP v3 only).

  • The result was assembled via DSA chaining. You can enforce caching of results of chained searches by specifying the value 1 for the environment variable DIRX_LDAP_IGNORE_CACHABLE_FLAG.

  • The request of a result contains as a requested attribute at least one of the attribute types that are configured in the environment variable DIRX_LDAP_CACHE_BANNED_REQ_ATTR.

  • The request of a result has a base object whose DN matches one of the DNs configured in the environment variable DIRX_LDAP_CACHE_BANNED_BASE_OBJ.

  • The request of a result was performed by a user whose DN is not configured in the environment variable DIRX_LDAP_CACHE_ALLOWED_USER.

If the value is FALSE, the LDAP cache is disabled; that is, all LDAP search results are retrieved in the DSA database.

The default value of this attribute is FALSE (LDAP cache disabled).

Modifications to this attribute become effective only after a restart of the LDAP server.

To enable or disable the LDAP cache dynamically, use the dirxadm ldap cache –start or –stop operations. (See the ldap cache section in the dirxadm command description in the DirX Directory Administration Reference for details on a set of operations for dynamic administration of the LDAP cache.)

Abbreviation

LCA

LDAP Name(s)

ldapCache

Syntax (DAP)

Boolean

Syntax (LDAP)

Boolean (LDAP Style)

Example (DAP)
LCA=FALSE
Example (LDAP)
ldapCache=FALSE

LDAP Cache Max Cached Elements

The LDAP Cache Max Cached Elements optional, single-valued attribute is provided to configure the maximum number of LDAP search results that are stored in the LDAP server’s cache. An LDAP search result consists always of one or more LDAP result messages. Each result message describes one resulting entry. The last result message contains the result code of the search. If the search results in no entry, the LDAP search result consists only of the last result message containing the result code.

The value selected for this attribute depends on the value of the LDAP Cache Table Size attribute and the system memory available. Each cached result requires at least 1 KB. This size is for a result that contains just the return code and no entries. The cached size of typical results that contain not only the result code but also entries depends on the size of the retrieved attribute sizes. The default value is 10000 (that is if the LDAP cache is filled it consumes at least 10 MB of memory).

Modifications to this attribute become effective only after a restart of the LDAP server.

Abbreviation

LCMAXCEL

LDAP Name(s)

ldapCacheMaxCachedElements

Syntax (DAP)

Integer

Syntax (LDAP)

Integer-String (LDAP style)

Example (DAP)
LCMAXCEL=15000
Example (LDAP)
ldapCacheMaxCachedElements=15000

LDAP Cache Maximum Memory Size

The LDAP Cache Maximum Memory Size optional, single-valued attribute is provided to configure the maximum memory size in MB used for the LDAP result cache.

The default value is 0 that is the memory size is unlimited. If the value is greater than 0, the LDAP server stores a result in the cache if there is enough memory space left. If the memory size specified would be exceeded after storing, the result it is not cached.

Keep in mind that the LDAP Cache Max Cached Elements attribute also limits the storing of results. If either limit is exceeded, the LDAP server does not store further results.

Modifications to this attribute become effective only after a restart of the LDAP server.

Abbreviation

LCMAXMES

LDAP Name(s)

ldapCacheMaxMemSize

Syntax (DAP)

Integer

Syntax (LDAP)

Integer-String (LDAP style)

Example (DAP)
LCMAXMES=256

The upper bound of the memory used by the LDAP cache is 256 MB.
Example (LDAP)
ldapCacheMaxMemSize=256

LDAP Cache Min Cache Time

The LDAP Cache Min Cache Time optional, single-valued attribute is provided to configure the minimum number of seconds that an LDAP search result is stored in the LDAP cache. A cached result is not removed from the cache until this amount of time has elapsed. The default value is 0.

Modifications to this attribute become effective only after a restart of the LDAP server.

Abbreviation

LCMINCTI

LDAP Name(s)

ldapCacheMinCacheTime

Syntax (DAP)

Integer

Syntax (LDAP)

Integer-String (LDAP style)

Example (DAP)
LCMINCTI=60
Example (LDAP)
ldapCacheMinCacheTime=60

LDAP Cache Max Cache Time

The LDAP Cache Max Cache Time attribute optional, single-valued is provided to configure the maximum number of seconds that an LDAP search result is stored in the LDAP cache. The default value is 43200 (12 hours).

Modifications to this attribute become effective only after a restart of the LDAP server.

Abbreviation

LCMAXCTI

LDAP Name(s)

ldapCacheMaxCacheTime

Syntax (DAP)

Integer

Syntax (LDAP)

Integer-String (LDAP style)

Example (DAP)
LCMAXCTI=7200
Example (LDAP)
ldapCacheMaxCacheTime=7200

LDAP Cache Min Cache Entries

The LDAP Cache Min Cache Entries optional, single-valued attribute is provided to configure the minimum number of entries that an LDAP search result must have to be stored in the LDAP cache. The default value is 0. (That is that even empty results – results that only contain the result code - are cached.)

Modifications to this attribute become effective only after a restart of the LDAP server.

Abbreviation

LCMINCEN

LDAP Name(s)

ldapCacheMinCacheEntries

Syntax (DAP)

Integer

Syntax (LDAP)

Integer-String (LDAP style)

Example (DAP)
LCMINCEN=5
Example (LDAP)
ldapCacheMinCacheEntries=5

LDAP Cache Max Cache Entries

The LDAP Cache Max Cache Entries optional, single-valued attribute is provided to configure the maximum number of entries that an LDAP search result can have to be stored in the LDAP cache. The default value is 2000 (an LDAP search result is not stored in the cache if it consists of more than 2,000 entries). By default, the DirX Directory DSA is limited to returning only the first 2,000 entries of a search request.

Modifications to this attribute become effective only after a restart of the LDAP server.

Abbreviation

LCMAXCEN

LDAP Name(s)

ldapCacheMaxCacheEntries

Syntax (DAP)

Integer

Syntax (LDAP)

Integer-String (LDAP style)

Example (DAP)
LCMAXCEN=2500
Example (LDAP)
ldapCacheMaxCacheEntries=2500

LDAP Cache Min Attributes

The LDAP Cache Min Attributes optional, single-valued attribute is provided to configure the minimum number of attributes that an LDAP search result must have to be stored in the LDAP cache. Note that this attribute specifies the minimum number of attributes for the whole result and not for a single entry of the result. The default value is 0.

Modifications to this attribute become effective only after a restart of the LDAP server.

Abbreviation

LCMINATS

LDAP Name(s)

ldapCacheMinAttrs

Syntax (DAP)

Integer

Syntax (LDAP)

Integer-String (LDAP style)

Example (DAP)
LCMINATS=10 (A search result must contain at least 10 attributes to be stored in the cache.)
Example (LDAP)
ldapCacheMinAttrs=10

LDAP Cache Max Attributes

The LDAP Cache Max Attributes optional, single-valued attribute is provided to configure the maximum number of attributes that an LDAP search result can have to be stored in the LDAP cache. Note that this attribute specifies the maximum number of attributes for the whole result and not for a single entry of the result. The default value is 2000. (That is an LDAP search result is not stored in the cache if it contains more than 2,000 attributes.)

Modifications to this attribute become effective only after a restart of the LDAP server.

Abbreviation

LCMAXATS

LDAP Name(s)

ldapCacheMaxAttrs

Syntax (DAP)

Integer

Syntax (LDAP)

Integer-String (LDAP style)

Example (DAP)
LCMAXATS=2500 (A search result can contain up to 2,500 attributes to be stored in the cache.)
Example (LDAP)
ldapCacheMaxAttrs=2500

LDAP Cache Min Values

The LDAP Cache Min Values optional, single-valued attribute is provided to configure the minimum number of attribute values that an LDAP search result must have to be stored in the LDAP cache. Note that this attribute specifies the minimum number of attribute values for the whole result and not for a single entry of the result. The default value is 0.

Modifications to this attribute become effective only after a restart of the LDAP server.

Abbreviation

LCMINAVS

LDAP Name(s)

ldapCacheMinValues

Syntax (DAP)

Integer

Syntax (LDAP)

Integer-String (LDAP style)

Example (DAP)
LCMINAVS=10 (A search result must contain at least 10 attribute values to be stored in the cache.)
Example (LDAP)
ldapCacheMinValues=10

LDAP Cache Max Values

The LDAP Cache Max Values optional, single-valued attribute is provided to configure the maximum number of attribute values that an LDAP search result can have to be stored in the LDAP cache. Note that this attribute specifies the maximum number of attribute values for the whole result and not for a single entry of the result. The default value is 2000 (an LDAP search result is not stored in the cache if it contains more than 2,000 attribute values).

Modifications to this attribute become effective only after a restart of the LDAP server.

Abbreviation

LCMAXAVS

LDAP Name(s)

ldapCacheMaxValues

Syntax (DAP)

Integer

Syntax (LDAP)

Integer-String (LDAP style)

Example (DAP)
LCMAXAVS=2500 (A search result can contain up to 2,500 attribute values to be stored in the cache.)
Example (LDAP)
ldapCacheMaxValues=2500

LDAP Cache Table Size

The LDAP Cache Table Size optional, single-valued attribute is provided to configure the size of the internal cash table. For best performance, the value of this component should be at least (max_cached_elements / 3). It must be at least 128. The default value is 4096.

DirX Directory prohibits increasing the table size beyond 65535. The number of cached results is not limited (only by memory), but cache performance will decrease if too many results are stored in a small table.

Modifications to this attribute become effective only after a restart of the LDAP server.

Abbreviation

LCTBSIZE

LDAP Name(s)

ldapCacheTableSize

Syntax (DAP)

Integer

Syntax (LDAP)

Integer-String (LDAP style)

Example (DAP)
LCTBSIZE=5000
Example (LDAP)
ldapCacheTableSize=5000

LDAP Cache Update Strategy

The LDAP Cache Update Strategy optional, single-valued attribute is provided to configure the update strategy of the LDAP cache. Specify one of the following values:

  • 0 - (Full erase strategy). After the database has been modified by an update operation, all LDAP search results are removed from the LDAP cache. This strategy should only be applied if there are only a small number of modifications.

  • 1 - (DN strategy). After the database has been modified by an update operation, all LDAP search results that may contain the distinguished name of the modified object are removed from the LDAP cache.

  • 2 - (Attribute strategy). After the database has been modified by an update operation, all LDAP search results that may contain the modified attribute are removed from the LDAP cache.

  • 3 - (DN + attribute strategy.) After the database has been modified by an update operation, all LDAP search results that may contain the distinguished name of the modified object or may contain the modified attribute are removed from the LDAP cache.

The default value is 3.

Modifications to this attribute become effective only after a restart of the LDAP server.

Abbreviation

LCUPDSTR

LDAP Name(s)

ldapCacheUpdateStrategy

Syntax (DAP)

Integer

Syntax (LDAP)

Integer-String (LDAP style)

Example (DAP)
LCUPDSTR=0
Example (LDAP)
ldapCacheUpdateStrategy=0

LDAP Audit Configuration Subentry CN

The LDAP Audit Configuration Subentry CN attribute specifies the common name attribute of the LDAP Audit configuration subentry. This attribute is an optional single-valued attribute. When this attribute is omitted, the LDAP server reads the LDAP audit configuration subentry with the default common name value ldapAudit.

Abbreviation

LACCN

LDAP Name(s)

ldapAuditCfgSubentryCN

Syntax (DAP)

Printable String

Syntax (LDAP)

Printable String (LDAP style)

Example (DAP)
LACCN=LDAPAauditConfigurationSubentry
Example (LDAP)
ldapAuditCfgSubentryCN=LDAPAauditConfigurationSubentry

Attributes Controlling LDAP Extended Operations

DirX Directory provides a set of attributes for controlling LDAP extended operations. These attributes specify groups of users that are allowed to perform specific extended operations and groups of operations. The following attributes grant specific rights to perform a specific set of LDAP extended operations:

  • LDAP Extended Operations Admins - allows users listed in this attribute to perform all LDAP extended operations.

  • LDAP Extended Operations Admin Groups - allows users who are members of the group(s) listed in this attribute to perform all LDAP extended operations.

  • LDAP Extended Operations Read Users - allows users listed in this attribute to perform all LDAP extended read operations.

  • LDAP Extended Operations Read Groups - allows users who are members of the group(s) listed in this attribute to perform all LDAP extended read operations.

  • LDAP Extended Operations Execute Users - allows users listed in this attribute to perform all LDAP extended execute operations.

  • LDAP Extended Operations Execute Groups - allows users who are members of the group(s) listed in this attribute to perform all LDAP extended execute operations.

  • LDAP Extended Operations Monitoring Users - allows users listed in this attribute to perform all LDAP extended monitoring operations.

  • LDAP Extended Operations Monitoring Groups - allows users who are members of the group(s) listed in this attribute to perform all LDAP extended monitoring operations.

At startup, the LDAP server reads the groups attributes LDAP Extended Operations Admin Groups, LDAP Extended Operations Read Groups, LDAP Extended Operations Execute Groups and LDAP Extended Operations Monitoring Groups and evaluates their members. Changes made to these groups attributes while the LDAP server is running can be dynamically activated with the LDAP extended operation ldap_cfg_upd. See the ldap_cfg_upd reference description in DirX Directory LDAP Extended Operations.

The number of members in a group affects the LDAP server’s startup time. Specifying very large groups - more than 1,000 members - may result in a long wait time before the LDAP server becomes responsive after startup.

The following attributes group the LDAP extended operations:

  • LDAP Extended Read Operations - specifies all operations that retrieve data and require read access rights.

  • LDAP Extended Execute Operations - specifies all operations that execute or change data and require execute access rights.

  • LDAP Extended Monitoring Operations - specifies all operations that are used for special Nagios monitoring and require monitoring access rights.

There are default LDAP extended read, execute and monitoring operations. These default operations specify the default values for the attributes grouping the LDAP extended operations. If an LDAP extended operation is not contained in any attribute, the default grouping applies. An LDAP extended operation can only be contained in one grouping attribute. The following LDAP extended operations do not belong to any group and no specific access rights are required to perform them. It is recommended not to add them to a group attribute because they are used for internal operations:

  • startTLS (dirxcp startTLS) - enables SSL/TLS security for a LDAP connection; that is, the LDAP server performs extended operations. Note that the LDAP Start TLS Enabled (LSTEN, ldapStartTLSenabled) attribute must be set to 1 to perform this operation.

  • ldap_extop_info - displays a list of all supported extended operations.

  • ldap_cfg_defaults - displays the default values for the LDAP server configuration.

  • ldap_ssl_ciphernames - displays the LDAP SSL cipher names.

  • ldap_show_config_dsas - displays the contact DSAs configured for an LDAP server.

See the dirxextop command reference page in the DirX Directory Administration Reference for a list of extended operations provided by DirX Directory and how to perform them.

The following sections describe the attributes that control the LDAP extended operations.

LDAP Extended Operations Admins

The LDAP Extended Operations Admins attribute controls the accessibility of extended operations. This attribute is an optional, multi-valued attribute. The default is that performing extended operations is prohibited; that is, the LDAP server only performs the extended operations that require no access rights (see the list in the section Attributes Controlling LDAP Extended Operations above) or that users are allowed to perform due to the values specified in the LDAP Extended Operations Read, Execute, or Monitoring attributes.

The users listed in this attribute are allowed to execute all LDAP extended operations.

Specify the DN attribute values in LDAP format; for example, cn=admin,o=my-company. (See the section Distinguished Names in the chapter DirX Directory String Representation for LDAP Binds for details.) Specify complete distinguished names of users that can perform an LDAP bind.

If a client binds via SASL with the EXTERNAL mechanism, the DN is taken from the user’s certificate subject field. independent of the mapping method defined by the attribute LDAP SASL Authz Id Mapping. Specify the user’s subject DN in LDAP format; for example, uid=12345,givenName=Max Mustermann,o=my-company. (See the section Distinguished Names in the chapter DirX Directory String Representation for LDAP Binds.)

The LDAP server performs the extended operation if the client’s DN in the bind operation or the user’s certificate subject field matches one of the attribute values.

The value(s) of the attribute are treated and compared as LDAP DNs by eliminating unspecific blanks and normalizing to lowercase, for example:

CN = Admin, O=My-Company is normalized to cn=admin,o=my-company

The keyword all specifies that everyone can perform extended operations and the keyword none specifies that no one can perform extended operations.

Abbreviation

LEXOA

LDAP Name(s)

ldapExtOpAdmins

Syntax (DAP)

Directory-String {32768}

Syntax (LDAP)

Directory-String {32768} (LDAP Style)

Example (DAP)
{LEXOA=cn++\++=admin++\++,o++\++=my-company;cn++\++=metaadm++\++,o++\++=my-company}

The LDAP server performs extended operations only if one of the two My-Company administrators (cn=admin,o= my-company or cn=metaadm,o=my-company) is bound.
Example (LDAP)
{ldapExtOpAdmins=cn=admin,o=my-company;cn=metaadm,o=my-company}
LDAP Extended Operations Admin Groups

The LDAP Extended Operations Admin Groups attribute allows you to control the accessibility of extended operations by specifying groups. This attribute is an optional, multi-valued attribute. The groups must have the object class groupOfNames.

The members of the groups specified in this attribute are allowed to execute all LDAP extended operations.

The default is that performing extended operations is prohibited; that is, the LDAP server only performs the extended operations that require no access rights (see the list in the section Attributes Controlling LDAP Extended Operations above) or that users are allowed to perform due to the values specified in the LDAP Extended Operations Read, Execute or Monitoring attributes.

Specify the DN attribute values in LDAP format; for example, cn=admin,o=my-company. (See the section Distinguished Names in the chapter DirX Directory String Representation for LDAP Binds for details.) Specify complete distinguished names of groups that contain members that can perform an LDAP bind.

If a client binds via SASL with the EXTERNAL mechanism, the DN is taken from the user’s certificate subject field independent of the mapping method defined by the attribute LDAP SASL Authz Id Mapping. There is no difference between simple- and SASL-bound users when the privilege is granted due to the group membership.

The LDAP server performs the extended operation if the client’s DN in the bind operation matches a member name in one of the specified group attribute values.

The value(s) of the attribute are treated and compared as LDAP DNs by eliminating unspecific blanks and normalizing to lowercase, for example:

CN = Admin, O=My-Company is normalized to cn=admin,o=my-company

Abbreviation

LEXOAG

LDAP Name(s)

ldapExtOpAdminGroups

Syntax (DAP)

Directory-String {32768}

Syntax (LDAP)

Directory-String {32768} (LDAP Style)

Example (DAP)
{LEXOAG=cn\=adminGroup\,o\=my-company;cn\=metaadmGroup\,o\=my-company}

The LDAP server performs extended operations only for those users that are members of one of the two listed My-Company administrator groups: cn=adminGroup,o=my-company or cn=metaadmGroup,o=my-company.

Example (LDAP)
{ldapExtOpAdminGroups=cn=adminGroup,o=my-company;cn=metaadmGroup,o=my-company}
LDAP Extended Operations Read Users

The LDAP Extended Operations Read Users attribute controls the accessibility of LDAP extended read operations. This attribute is an optional, multi-valued attribute. The LDAP Extended Read Operations attribute specifies all LDAP extended read operations.

The default is that no user is allowed to perform LDAP extended read operations.

Specify the DN attribute values as described in the section LDAP Extended Operations Admins.

Abbreviation

LEXORU

LDAP Name(s)

ldapExtOpReadUsers

Syntax (DAP)

Directory-String {32768}

Syntax (LDAP)

Directory-String {32768} (LDAP Style)

Example (DAP)
{LEXORU=cn\=admin\,o\=my-company;cn\=metaadm\,o\=my-company}

The LDAP server performs LDAP extended read operations only if one of the two My-Company administrators (cn=admin,o= my-company or cn=metaadm,o=my-company) is bound.

Example (LDAP)
{ldapExtOpReadUsers=cn=admin,o=my-company;cn=metaadm,o=my-company}
LDAP Extended Operations Read Groups

The LDAP Extended Operations Read Groups attribute controls the accessibility of LDAP extended read operations by specifying groups. The groups must have the object class groupOfNames.

Members of the groups specified in this attribute are allowed to execute the LDAP extended operations that require read privilege.

All members of the specified groups have the same permissions as the users listed explicitly with their entry DNs in the LDAP Extended Operations Read Users attribute.

This attribute is an optional, multi-valued attribute.

The LDAP Extended Operations Read Groups attribute specifies all LDAP extended read operations.

The default is that no group is allowed to perform LDAP extended read operations.

Specify the DN attribute values as described in the section LDAP Extended Operations Admin Groups.

Abbreviation

LEXORG

LDAP Name(s)

ldapExtOpReadGroups

Syntax (DAP)

Directory-String {32768}

Syntax (LDAP)

Directory-String {32768} (LDAP Style)

Example (DAP)
{LEXORG=cn\=readUserGroup\,o\=my-company;}

The LDAP server performs LDAP extended read operations only if the bound user is a member of the specified group cn=ReadUserGroup,o=my-company.

Example (LDAP)
{ldapExtOpReadUsers=cn=ReadUserGroup,o=my-company}
LDAP Extended Operations Execute Users

The LDAP Extended Operations Execute Users attribute controls the accessibility of LDAP extended execute operations. This attribute is an optional, multi-valued attribute. The LDAP Extended Execute Operations attribute specifies all LDAP extended execute operations.

The default is that no user is allowed to perform LDAP extended execute operations.

Specify the DN attribute values as described in section LDAP Extended Operations Admins.

Abbreviation

LEXOEU

LDAP Name(s)

ldapExtOpExecuteUsers

Syntax (DAP)

Directory-String {32768}

Syntax (LDAP)

Directory-String {32768} (LDAP Style)

Example (DAP)
{LEXOEU=cn\=admin\,o\=my-company;cn\=metaadm\,o\=my-company}

The LDAP server performs LDAP extended execute operations only if one of the two My-Company administrators (cn=admin,o= my-company or cn=metaadm,o=my-company) is bound.

Example (LDAP)
{ldapExtOpExecuteUsers=cn=admin,o=my-company;cn=metaadm,o=my-company}
LDAP Extended Operations Execute Groups

The LDAP Extended Operations Execute Groups attribute controls the accessibility of LDAP extended execute operations by specifying groups. The groups must have the object class groupOfNames.

Members of the groups specified in this attribute are allowed to execute the LDAP extended operations that require execute privilege.

All members of the specified groups have the same permissions as the users listed explicitly with their entry DNs in the LDAP Extended Operations Execute Users attribute.

This attribute is an optional, multi-valued attribute.

The LDAP Extended Operations Execute Groups attribute specifies all LDAP extended execute operations.

The default is that no group is allowed to perform LDAP extended execute operations.

Specify the DN attribute values as described in the section LDAP Extended Operations Admin Groups.

Abbreviation

LEXOEG

LDAP Name(s)

ldapExtOpExecuteGroups

Syntax (DAP)

Directory-String {32768}

Syntax (LDAP)

Directory-String {32768} (LDAP Style)

Example (DAP)
{LEXOEG=cn\=Group4711\,o\=my-company

The LDAP server performs LDAP extended read operations only if the bound user is a member of the specified group cn=Group4711,o= my-company.

Example (LDAP)
{ldapExtOpExecuteGroups=cn=Group4711,o=my-company}
LDAP Extended Operations Monitoring Users

The LDAP Extended Operations Execute Users attribute controls the accessibility of LDAP extended monitoring operations. This attribute is an optional, multi-valued attribute. The LDAP Extended Monitoring Operations attribute specifies all LDAP extended monitoring operations.

The default is that no user is allowed to perform LDAP extended monitoring operations.

Specify the DN attribute values as described in section LDAP Extended Operations Admins.

Abbreviation

LEXOMU

LDAP Name(s)

ldapExtOpMonitoringUsers

Syntax (DAP)

Directory-String {32768}

Syntax (LDAP)

Directory-String {32768} (LDAP Style)

Example (DAP)
{LEXOMU=cn\=admin\,o\=my-company;cn\=metaadm\,o\=my-company}

The LDAP server performs LDAP extended execute operations only if one of the two My-Company administrators (cn=admin,o= my-company or cn=metaadm,o=my-company) is bound.

Example (LDAP)
{ldapExtOpMonitoringUsers=cn=admin,o=my-company;cn=metaadm,o=my-company}
LDAP Extended Operations Monitoring Groups

The LDAP Extended Operations Monitoring Groups attribute controls the accessibility of LDAP extended monitoring operations by specifying groups. The groups must have the object class groupOfNames.

Members of the groups specified in this attribute are allowed to execute the LDAP extended operations that require monitoring privilege.

All members of the specified groups have the same permissions as the users listed explicitly with their entry DNs in the LDAP Extended Operations Monitoring Users attribute.

This attribute is an optional, multi-valued attribute.

The LDAP Extended Operations Monitoring Groups attribute specifies all LDAP extended monitoring operations.

The default is that no group is allowed to perform LDAP extended monitoring operations.

Specify the DN attribute values as described in the section LDAP Extended Operations Admin Groups.

Abbreviation

LEXOMG

LDAP Name(s)

ldapExtOpMonitoringGroups

Syntax (DAP)

Directory-String {32768}

Syntax (LDAP)

Directory-String {32768} (LDAP Style)

Example (DAP)
{LEXOMG=cn\=NagiosUserGroup\,o\=my-company}

The LDAP server performs LDAP extended read operations only if the bound user is a member of the specified group cn=NagiosUserGroup,o= my-company.

Example (LDAP)
{ldapExtOpMonitoringGroups=cn=NagiosUserGroup,o=my-company}
LDAP Extended Read Operations

The LDAP Extended Read Operations attribute specifies all LDAP extended read operations. This attribute is an optional, multi-valued attribute.

Specify the OID or the keyword of the LDAP extended operation. See the dirxextop reference page in the DirX Directory Administration Reference for a complete list of extended operations.

The default LDAP extended read operations are:

  • ldap_mib_static

  • ldap_mib_total

  • ldap_mib_current

  • ldap_mib_assoc

  • ldap_mib_env

  • ldap_cache_info

  • ldap_audit_info

  • ldap_host_ips

  • ldap_pstack

  • ldap_bt_dump

  • ldap_idm_dump

  • ldap_cache_dump

  • ldap_rusage

  • ldap_pfiles

  • ldap_top

  • ldap_status

  • ldap_pmap

  • ldap_ctxinfo

  • ldap_netstat

  • ldap_exceptions

  • ldap_op_history

  • ldap_show_op_priv

  • ldap_show_priv_users

  • ldap_show_cfg_audit

  • ldap_show_cfg_general

  • ldap_show_cfg_ssl

  • ldap_show_cfg_upd_attr

  • ldap_show_cfg_upd_attr_history

  • dsa_nmi_show

  • dsa_dbam_mib_show

  • dsa_entry_info_get

  • dsa_nmi_show_dap

  • dsa_nmi_show_dsp

  • dsa_nmi_show_disp

  • dsa_pstack

  • dsa_bt_dump

  • dsa_idm_dump

  • dsa_disp_flow_counter

  • dsa_rusage

  • dsa_pfiles

  • dsa_top

  • dsa_status

  • dsa_pmap

  • dsa_dbam_devinfo

  • dsa_iostat

  • dsa_ctxinfo

  • dsa_audit_info

  • dsa_dbam_config

  • dsa_netstat

  • dsa_exceptions

  • dsa_history_dap

  • dsa_history_dsp

  • dsa_history_disp

  • dsa_index_info

  • dsa_disp_monitor

Modify the attribute value by simply adding or deleting an LDAP extended operation.

To perform the LDAP extended read operations, the client’s DN must match either a value contained in the LDAP Extended Operations Admins attribute or a value in the LDAP Extended Operations Read Users attribute.

Abbreviation

LEXROP

LDAP Name(s)

ldapExtReadOperations

Syntax (DAP)

Directory-String {32768}

Syntax (LDAP)

Directory-String {32768} (LDAP Style)

Example (DAP)
{LEXROP=ldap_dsa_getopmode;1.3.12.2.1107.1.3.2.13.33}

The LDAP extended read operations group contains all default LDAP extended read operations not contained in any other group attribute and the operations displaying the DSA operation mode (ldap_dsa_getopmode) and the status of a database backup (1.3.12.2.1107.1.3.2.13.33).

Example (LDAP)
{ldapExtReadOperations=ldap_dsa_getopmode;1.3.12.2.1107.1.3.2.13.33}
LDAP Extended Execute Operations

The LDAP Extended Execute Operations attribute specifies all LDAP extended execute operations. This attribute is an optional, multi-valued attribute.

Specify the OID or the keyword of the LDAP extended operation. See the dirxextop reference page in the DirX Directory Administration Reference for a complete list of extended operations.

The default LDAP extended execute operations are:

  • ldap_audit_start

  • ldap_audit_stop

  • ldap_cache_start

  • ldap_cache_stop

  • ldap_cache_clear

  • ldap_audit_evaluate

  • ldap_audit_err

  • ldap_disable_config_dsa

  • ldap_enable_config_dsa

  • ldap_cfg_upd

  • dsa_dbam_mib_enable

  • dsa_dbam_mib_disable

  • dsa_audit_evaluate

  • dsa_audit_enable

  • dsa_audit_disable

  • dsa_dbam_backup

  • dsa_dbam_aac

Modify the attribute value by simply adding or deleting an LDAP extended operation.

To perform the LDAP extended execute operations, the client’s DN must match either a value contained in the LDAP Extended Operations Admins attribute or a value in the LDAP Extended Operations Execute Users attribute.

Abbreviation

LEXEOP

LDAP Name(s)

ldapExtExecuteOperations

Syntax (DAP)

Directory-String {32768}

Syntax (LDAP)

Directory-String {32768} (LDAP Style)

Example (DAP)
{LEXEOP=ldap_dsa_getopmode;1.3.12.2.1107.1.3.2.13.33}

The LDAP extended execute operations group contains all default LDAP extended execute operations not contained in any other group attribute and the operations displaying the DSA operation mode (ldap_dsa_getopmode) and the status of a database backup (1.3.12.2.1107.1.3.2.13.33).

Example (LDAP)
{ldapExtExecuteOperations=ldap_dsa_getopmode;1.3.12.2.1107.1.3.2.13.33}
LDAP Extended Monitoring Operations

The LDAP Extended Monitoring Operations attribute specifies all LDAP extended monitoring operations. This attribute is an optional, multi-valued attribute.

Specify the OID or the keyword of the LDAP extended operation. See the dirxextop reference page in the DirX Directory Administration Reference for a complete list of extended operations.

The default LDAP extended monitoring operations are:

  • ldap_mib_total_tevd

  • ldap_mib_current_tevd

  • ldap_no_of_fds

  • dsa_server_files

  • dsa_dbam_preload_status

  • dsa_backup_status

  • dsa_no_of_fds

The Nagios plugins use the operations listed above to retrieve monitoring information from the DirX Directory servers.

Modify the attribute value by simply adding or deleting an LDAP extended operation.

To perform the LDAP extended read operations, the client’s DN must match either a value contained in the LDAP Extended Operations Admins attribute or a value in the LDAP Extended Operations Monitoring Users attribute.

Abbreviation

LEXMOP

LDAP Name(s)

ldapExtMonitoringOperations

Syntax (DAP)

Directory-String {32768}

Syntax (LDAP)

Directory-String {32768} (LDAP Style)

Example (DAP)
{LEXMOP=ldap_mib_static;1.3.12.2.1107.1.3.2.11.5}

The LDAP extended monitoring operations group contains all default LDAP extended monitoring operations not contained in any other group attribute and the operations displaying the LDAP MIB static table (ldap++_++mib++_++static) and the LDAP MIB environment table (1.3.12.2.1107.1.3.2.11.5).
Example (LDAP)
{ldapExtMonitoringOperations=ldap_mib_static;1.3.12.2.1107.1.3.2.11.5}

Attributes for LDAP Server SSL Configuration

Attributes for LDAP server SSL configuration are attributes of the LDAP server SSL configuration subentry with the default name /CN=LdapSSLConfiguration. (This name is referenced in the LDAP SSL Configuration Subentry CN (LSCCN) attribute of the LDAP Server Configuration subentry.) All attributes are optional. Run the script ldap_sslcfg.cp (using dirxcp) to create a default LDAP SSL configuration subentry that specifies default values for the DirX Directory LDAP server. Use the dirxcp obj operations to modify the attributes of the default LDAP SSL configuration subentry or to create new LDAP SSL configuration subentries. Like all other subentries, it cannot be created via LDAP. However, it can be modified via LDAP. Modifications of an LDAP SSL configuration subentry become effective after a restart of the LDAP server. The LDAP server SSL configuration subentry is only read at start time when SSL is enabled; that is, when the value of the LDAP Secure Port Number attribute is greater than zero. (See section LDAP Secure Port Number for details.)

LDAP Security Level A

The LDAP Security Level A single-valued attribute specifies the minimum required security level of the LDAP server’s own key material for OpenSSL. (See LDAP Own Keymaterial PEM attribute and section LDAP Server Key Material in the DirX Directory Administration Reference for details.)

The default value (as of OpenSSL V3.1.0) for this attribute is 1.

Specify one of the following values:

0 - Level 0

Everything is permitted.
This setting retains compatibility with previous versions of OpenSSL.

1 - Level 1 (OpenSSL default)

The security level corresponds to a minimum of 80 bits of security.
Any parameters offering below 80 bits of security are excluded.
As a result, RSA, DSA, and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits are prohibited.
All export cipher suites are prohibited since they all offer less than 80 bits of security.
SSL version 2 is prohibited.
Any cipher suite using MD5 for Mac OS X is also prohibited.

2 - Level 2 (The default DirX Directory keymaterial fullfills the requirements for this level.)

The security level is set to 112 bits of security.
As a result, RSA, DSA, and DH keys shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
In addition to the Level 1 exclusions, any cipher suite using RC4 is also prohibited.
SSL version 3 is also not allowed.
Compression is disabled.

3 - Level 3

The security level is set to 128 bits of security.
As a result, RSA, DSA, and DH keys shorter than 3072 bits and ECC keys shorter than 256 bits are prohibited.
In addition to the Level 2 exclusions, cipher suites that do not offer forward secrecy are prohibited.
TLS versions below 1.1 are not permitted.
Session tickets are disabled.

4 - Level 4

The security level is set to 192 bits of security.
As a result, RSA, DSA, and DH keys shorter than 7680 bits and ECC keys shorter than 384 bits are prohibited.
Cipher suites using SHA1 for Mac OS X are prohibited.
TLS versions below 1.2 are not permitted.

5 - Level 5

Security level set to 256 bits of security.
As a result, RSA, DSA, and DH keys shorter than 15360 bits and ECC keys shorter than 512 bits are prohibited.

Notes:

  1. If no value is specified (the attribute is missing in the subentry) a default takes place that is chosen by OpenSSL.

  2. The values may differ in meaning for later OpenSSL versions. You may want to search for the function SSL_set_security_level in the OpenSSL documentation for more details and levels.

  3. Be aware that the higher the level, the more challenging it will be to provide a suitable PKI key material. The current default (OpenSSL V3.1.0) for both values is 1. The demo PKI key material delivered along with the DirX Directory installation is suitable for levels 1 and 2 only. Thus, if you set higher levels, ensure that your PKI material fits the needs.

Abbreviation

LSLA

LDAP Name(s)

ldapSecLevelA

Syntax (DAP)

Integer

Example (DAP)
LSLA=2
Example (LDAP)
ldapSecLevelA=2

LDAP Security Level B

The LDAP Security Level B single-valued attribute specifies the minimum required security level for incoming LDAP client connections for OpenSSL.

The default value (as of OpenSSL V3.1.0) for this attribute is 1.

See the LDAP Security Level A attribute for the allowed values and details.

Abbreviation

LSLB

LDAP Name(s)

ldapSecLevelB

Syntax (DAP)

Integer

Example (DAP)
LSLB=2
Example (LDAP)
ldapSecLevelB=2

LDAP Supported Encryption Strength

The LDAP Supported Encryption Strength multi-valued attribute specifies the cipher suites that are accepted in the SSL handshake protocol for version TLSv1.0 up to TLSv1.2. Cipher suites are algorithms for signing, encryption, and hashing.

The values specified in this attribute comprise short names and explicit cipher suite names. Examples for valid short names values are HIGH, MEDIUM, RSA or ALL. Examples for explicit cipher suite names are ECDH-RSA-DES-CBC3-SHA or EDH-RSA-DES-CBC-SHA.

Use the openssl command "openssl ciphers" to retrieve the complete list of explicit cipher suite names supported by the DirX Directory LDAP server. The complete list of the supported short names are documented on https://www.openssl.org/docs/man1.0.2/man1/ciphers.html.

The default value of this attribute is RSA: all cipher suites that use the RSA algorithm are accepted.

See the description of the attribute LDAP Supported Encryption Strength Extended for details on how to set ciphers for the TLS protocol version 1.3.

Abbreviation

LSSES

LDAP Name(s)

supportedEncryptionStrength

Syntax (DAP)

Directory String {40}

Example (DAP)
LSSES=ECDHE-RSA-AES256-SHA;ECDH-RSA-DES-CBC3-SHA; ECDH-RSA-AES128-SHA

These values explicitly set the specified three values as the only accepted cipher suites.

Example (LDAP)
supportedEncryptionStrength=HIGH;RSA

These two values set the supported cipher suites to those that belong to the groups HIGH or RSA.

LDAP Supported Encryption Strength Extended

The LDAP Supported Encryption Strength Extended multi-valued attribute specifies the cipher suites that are accepted in the SSL handshake protocol for version TLSv1.3. Cipher suites are algorithms for signing, encryption, and hashing.

The values specified in this attribute correspond to the TLS1.3 specification. The following list comprises all five valid cipher suites for the TLS 1.3 protocol:

TLS_AES_256_GCM_SHA384

TLS_CHACHA20_POLY1305_SHA256

TLS_AES_128_GCM_SHA256

TLS_AES_128_CCM_8_SHA256

TLS_AES_128_CCM_SHA256

Possible value is also the keyword DEFAULT (the first three cipher suites of the previous list).

The default value of this attribute is DEFAULT.

See the description of the attribute LDAP Supported Encryption Strength for details on how to set accepted ciphers for the TLS protocol versions 1.0 up to 1.2.

Abbreviation

LSSESEX

LDAP Name(s)

supportedEncryptionStrengthExt

Syntax (DAP)

Directory String {1024}

Example (DAP)
LSSESEX={TLS++_++AES++_++256++_++GCM++_++SHA384;TLS++_++AES++_++128++_++GCM++_++SHA256}

These values explicitly set the specified two values as the only accepted cipher suites.

Example (LDAP)
supportedEncryptionStrengthExt=DEFAULT

These value set the default cipher suites for the TLSv1.3 protocol.

LDAP Supported Security Protocols

The LDAP Supported Security Protocols multi-valued attribute specifies the supported security protocols. The actual protocol version used for a particular SSL/TLS connection is negotiated during SSL connection establishment. Valid values are:

  • TLSv1.0 - The LDAP server accepts TLSv1.0 security protocol.

  • TLSv1.1 - The LDAP server accepts TLSv1.1 security protocol.

  • TLSv1.2 - The LDAP server accepts TLSv1.2 security protocol.

  • TLSv1.3 - The LDAP server accepts TLSv1.3 security protocol.

By default, the LDAP server accepts all versions of the security protocol listed above (so the default for this attribute is all values).

Abbreviation

LSSSP

LDAP Name(s)

supportedSecurityProtocols

Syntax (DAP)

Directory String {128}

Example (DAP)
LSSSP=TLSv1.0
Example (LDAP)
supportedSecurityProtocols=TLSv1.2;TLSv1.2

LDAP SSL Trace File

The LDAP SSL Trace File attribute specifies the full pathname of the directory in which the SSL-specific log files are located. SSL-specific log file names are in the format:

sslpid.log

where pid is the process ID of the LDAP server process that created the log file.

The default value of this attribute is install_path/ldap/log

Abbreviation

LSTFI

LDAP Name(s)

SSLTraceFile

Syntax (DAP)

Directory String {1024}

Example (DAP)
(on Linux systems)
LSTFI=/opt/dirx/ldap/log/ssl
(on Windows systems)
LSTFI={C:/Program Files/DirX/Directory/ldap/log/ssl}
Example (LDAP)
(on Linux systems)
SSLTraceFile=/opt/dirx/ldap/log/ssl
(on Windows systems)
{SSLTraceFile=C:/Program Files/DirX/Directory/ldap/log/ssl}

Note that the forward slash (/) and the backslash (\) characters can be used as separators for Linux and Windows pathnames because the value is read and interpreted only by the dirxldapv3 program. Note also that the curly braces ({}) in the Windows example are necessary because of the blank character contained in the example’s pathname.

LDAP SSL Trace Level

The LDAP SSL Trace Level attribute specifies the level of SSL internal logging. Valid values are the integers 0 and 1, where 0 indicates that SSL logging is turned off.

The default value of this attribute is 0 (SSL logging is turned off).

It is recommended to turn on SSL internal logging only if TLS handshake problems must be debugged. The logging can result in huge logging files that may contain confidential data.

Abbreviation

LSTLE

LDAP Name(s)

SSLTraceLevel

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style)

Example (DAP)
LSTLE=1
Example (LDAP)
SSLTraceLevel=1

LDAP SSL Client Authentication Required

The LDAP SSL Client Authentication Required attribute specifies whether or not the LDAP server requires SSL Client Authentication for SSL protected connections. When a client performs SSL Client Authentication, he/she requires a user certificate and a private key.

If the value is FALSE, clients are not required to perform SSL Client Authentication when establishing the SSL/TLS connection.

If the value is TRUE, clients are required to perform SSL Client Authentication when establishing the SSL/TLS connection.

In the LDAPv3 protocol, SSL Client Authentication is performed with a SASL bind when the
-mechanism EXTERNAL option is specified. (See the recommendations entitled Lightweight Directory Access Protocol (LDAP): The Protocol (RFC 4511) and Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms (RFC 4513) for details.)

The dirxcp command performs SASL-authenticated binds when the -sasl option is specified in the obj bind operation. See the obj bind operation in the DirX Directory Administration Reference for details.

The default value of this attribute is FALSE (SSL Client Authentication is not required).

In the security layer, SSL/TLS client authentication takes place during connection establishment. The LDAP server’s security layer verifies the authentication during the process that establishes the connection.

If the LDAP SSL Client Authentication Required attribute is TRUE, the LDAP server processing also depends on the settings of the following attributes:

  • LDAP SASL Authz Id Mapping (ldapSaslAuthzIdMapping)

  • LDAP Trusted CA Certs (ldapTrustedCACerts)

  • LDAP SSL CRL Checking (ldapSslCrlChecking)

The LDAP server maps an LDAP SASL bind with the EXTERNAL mechanism onto a special DAP bind to the DSA. The DSA checks whether a trusted LDAP server has issued this DAP bind by evaluating the IP address of the LDAP server’s host. By default, only local LDAP servers are trusted, but you can specify the range of accepted IP addresses in the environment variable DIRX_SSL_HOSTS. If the DSA does not trust the LDAP server due to the IP address, the following error message is written to the EXC files or Windows eventing: Host ip-address not allowed as SSL bind initiator.

Abbreviation

LSCAR

LDAP Name(s)

requireSSLClientAuth

Syntax (DAP)

Boolean

Syntax (LDAP)

Boolean (LDAP Style)

Example (DAP)
LSCAR=FALSE
Example (LDAP)
requireSSLClientAuth=FALSE

LDAP SASL Authz Id Mapping

The LDAP SASL Authz Id Mapping attribute specifies how a client entity authenticated by an SASL-authenticated bind over SSL-protected LDAPv3 protocol (ldap sasl bind) with the EXTERNAL mechanism is mapped onto an Authorization ID.

When performing an LDAP SASL bind with the mechanism EXTERNAL, the SSL/TLS layer performs the client authentication. It is a mutual strong authentication performed between the LDAP client and the LDAP server. On successful authentication, the user’s public key certificate is sent to the DSA. The LDAP SASL Authz Id Mapping attribute allows you to define, on a LDAP server process basis, the mapping from the user’s certificate onto the distinguished name that will be used for successive access control decisions. The attribute LDAP SASL Authz Id Mapping attribute is only evaluated for SASL binds; that is, if the LDAP SSL Client Authentication is activated by setting the LDAP SSL Client Authentication Required attribute to TRUE. (See the LDAP SSL Client Authentication Required attribute for details.)

DirX Directory supports the following choices for the mapping onto the DN representing the Authorization ID. The string values are case sensitive:

  • Certificate.subjectDN:

This value instructs the DSA to use the DN subjectDN contained in the userCertificate as the Authorization ID directly. No mapping onto an existing entry is performed. After passing the SSL/TLS authentication, an LDAP SASL bind that is configured with Certificate.subjectDN cannot fail with the error code invalid Credentials. An entry with the subjectDN does not need to exist in the DIT of the DSA. However, the DN subjectDN or groups containing that DN can be used in Access Control Items.

  • Certificate:

This value instructs the DSA to map onto an existing entry using the userCertificate attribute value with the OID 2.5.4.36. During the bind procedure performed for SASL binds, the DSA performs an internal local search operation that uses the whole certificate as the search filter. The Certificated Exact matching rule applies the certificate matches if the serialNumber and the issuerDN are identical. The userCertificate attribute must be indexed (INITIAL and PRESENT), otherwise the search is rejected and the LDAP SASL bind fails. If the DSA finds exactly one entry in the DIT that owns a certificate with the same value as was used in the LDAP SASL bind, the bind is completed successfully and the Authorization ID is set to the found entry’s DN. An LDAP SASL bind that is configured with Certificate may fail despite the successful completion of the SSL/TLS authentication. See the paragraph below.

  • Certificate.extensions.altName.email:

This value instructs the DSA to map onto an existing entry using the value of the subjectAlternateName extension from the user’s certificate. During the bind procedure performed for SASL binds, the DSA performs an internal local search operation that uses the value contained in the subjectAlternateName extension with the choice “rfc822 name” of the certificate as the search filter. The attribute type of the search filter is by default the email attribute value with the OID 1.2.840.113549.1.9.1.

The email attribute must be indexed (INITIAL and PRESENT), otherwise the search is rejected and the LDAP SASL bind fails. If the DSA finds exactly one entry in the DIT that owns an email with the same value as in the extension of the certificate that was used in the LDAP SASL bind, the bind is completed successfully and the Authorization ID is set to the found entry’s DN.

It is possible to use another attribute of the entry to map onto the Authorization ID by setting the environment variable DIRX_MAP_CERT_ALTNAME_ATTR. The value of this environment variable must be the OID of the attribute to be used in dotted notation. The attribute must have an IA5Str Syntax, its matching rules may be caseIgnore or caseExact. With respect to indexing the same preconditions apply as for the email attribute as described above.

An LDAP SASL bind that is configured with Certificate.extensions.altName.email may fail despite the successful completion of the SSL/TLS authentication.

Values different from the three valid values above are accepted by the directory server when changing the LDAP SSL Configuration Subentry. However, LDAP SASL binds performed via the respective LDAP server will fail with LDAP operation error. The LDAP message that is returned with the bind error to the LDAP client is sasl bind: invalid mapping configured: the-invalid-configuration-value.

The default value of this attribute is Certificate.subjectDN.

The LDAP SASL bind may fail in different stages of the operation:

  • SSL/TLS client authentication may fail because the cryptographic validation of the authentication token results in an error or because the Certificate issuer is not trusted. (The DirX Directory LDAP server uses the attribute LDAP Trusted CA Certs for the purpose of specifying trusted issuers.) Another SSL/TLS handshake error can occur, if CertificateRevocation List Checking is enabled (the LDAP SSL CRL Checking attribute has the value 1) and the revocation check of the user’s certificate fails. If an SSL/TLS handshake error occurs, the SASL bind fails with a remote abort receive error (Can’t connect to the LDAP server).

  • An Invalid Credentials Error may occur only if the LDAP SASL Authz Id Mapping attribute is set to Certificate or Certificate.extensions.altName.email:

  • The DSA returns an Invalid Credentials Error if the mapping fails; that is, if the internal search operation returns 0 or more than one single entry.

  • The DSA also returns an Invalid Credentials Error if the supplied userCertificate is unsuitable for the configured mapping method; for example, the certificate does not contain an email in the altName extension while the configuration is set to Certificate.extensions.altName.email.

  • An LDAP operation error may occur due to various defects:

  • The internal search operation is rejected due to the lack of the INITIAL and PRESENT index on the userCertificate or email attribute.

  • A runtime error (lack of resources) occurred.

  • A data error (for example, decoding of the certificate extensions) occurred.

Abbreviation

LSAIM

LDAP Name(s)

ldapSaslAuthzIdMapping

Syntax (DAP)

Directory String {1024}

Syntax (LDAP)

Directory String {1024}

Example (DAP)
LSAIM=Certificate.subjectDN
Example (LDAP)
ldapSaslAuthzIdMapping=Certificate.subjectDN

LDAP SSL CRL Checking

The LDAP SSL CRL Checking attribute specifies whether or not the client certificate specified in the context of an LDAP SASL EXTERNAL bind is also checked against a certificate revocation list (CRL). To perform LDAP SASL binds with the mechanism EXTERNAL, the LDAP SSL Client Authentication Required attribute must be TRUE.

If the LDAP SSL CRL Checking attribute has the value 1, CRL checking is performed. If its value is 0, CRL checking is not performed. Once CRL checking is enabled, at least one CRL file must be specified. (See the attribute LDAP SSL CRL Filenames (ldapSslCrlFilenames)). If no proper CRL file is configured, the server does not start.

The DirX Directory LDAP server uses CRLs stored locally in Privacy Enhanced Mail (PEM)-formatted files that are read during LDAP server process startup or when explicitly required by an LDAP extended operation. (See the attribute LDAP SSL CRL Filenames (ldapSslCrlFilenames) for details.)

If CRL checking is enabled, the following attributes of the LDAP SSL Configuration subentry control the check procedure:

  • LDAP SSL CRL Filenames (ldapSslCrlFileNames)

  • LDAP SSL Tolerate Missing CRL (ldapSSLTolerateMissingCrl)

  • LDAP SSL Allow NYV CRL (ldapSSLAllowNYVcrl)

  • LDAP SSL Allow Expired CRL (ldapSSLAllowExpiredCrl)

The CRL check is the last check that the LDAP server performs during the authentication process. Trusting the issuer of the client certificate is the precondition. (See the LDAP Trusted CA Certs (ldapTrustedCACerts) attribute for details.)

The default value of this attribute is 0; that is, CRL checking is disabled by default.

Abbreviation

LSCRLC

LDAP Name(s)

ldapSslCrlChecking

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
LSCRLC=1
Example (LDAP)
ldapSslCrlChecking=1

LDAP SSL CRL Filenames

The LDAP SSL CRL Filenames attribute specifies the name(s) of the files containing the PEM-formatted certificate revocation lists (CRLs) that are to be used to check the certificate for revocation in the context of an LDAP SASL bind with the mechanism type EXTERNAL. DirX Directory does not support delta CRLs.

This attribute is multi-valued. Each value contains the name of a file that contains one CRL in PEM Privacy Enhanced Mail (PEM) format. A PEM formatted CRL consists of the base64 encoded binary CRL enclosed in the lines

-----BEGIN X509 CRL-----

-----END X509 CRL-----

To convert binary CRLs to PEM formatted CRLs you can use the following openssl command:

openssl crl -inform DER -in certlist.crl -outform PEM -out crl.pem.

Incorrect file content results in a fatal error at LDAP server startup.

Specify the filename values either as fully-qualified pathnames or as filenames without any path. If a filename without any path is specified, the LDAP server expects the file to reside in the directory install_path/ldap/conf.

By default, the value of this attribute is absent.

As the attribute is multi-valued, more than one CRL can be loaded for certificate verification. Each CRL usually refers to a different certification authority (CA), but you can specify more than one CRL file for the same CA with different names. For example, FileA-CRL is an older version of a FileB-CRL. If both names are added to the list, the general rule is that the most recently loaded CRL overwrites any existing version. The sequence of the names cannot be predicted when they are read from the subentry.

The size of a specified CRL has a significant impact on the LDAP server start-time and the time to generate the internal SSL_CTX into which the CRL is stored; for example, a CRL of 30 MB lasts up to 1 minute to be loaded.

If multiple LDAP servers refer to the same CRL file, the behavior during server start-up or CRL refresh is undefined. To avoid conflicts, use separate CRL names for each server; that is, there may be several copies of the same CRL, one copy for each LDAP server.

To update the CRLs for an LDAP server during runtime, use the LDAP extended operation ldal_ssl_ctx_update. Use the dirxextop command or DirX Directory Manager (Monitoring View -> LDAP -> SSL -> Create New Context (CRL refresh) or Configuration View -> LDAP Configuration Subentries -> LDAP SSL Configuration Subentry -> Client Authentication -> Refresh CRLs) to perform this LDAP extended operation. (See the dirxextop reference page in the DirX Directory Administration Reference for details.) The LDAP server creates a new SSL context, re-reads the values of the LDAP SSL CRL Filenames attribute and re-loads the CRLs. While this dynamic CRL update is in progress, no LDAP bind operation is blocked or postponed. SSL SASL binds are checked against the old CRLs. Once the new CRLs are fully loaded, SSL SASL binds are checked against the new CRLs.

Abbreviation

LSCRLF

LDAP Name(s)

ldapSslCrlFileNames

Syntax (DAP)

Directory String {1024}

Syntax (LDAP)

Directory String {1024}

Example (DAP)
(on Linux systems)
LSCRLF=/home/dirx/ldap/conf/ssl/mycrl.pem
(on Windows systems)
{LSPPF=C:/Program Files/DirX/Directory/ldap/conf/ssl/mycrl.pem}
Example (LDAP)
ldapSslCrlFileNames=mycrl.pem

This file must be located under install_path/ldap/conf.

LDAP SSL Tolerate Missing CRL

The LDAP SSL Tolerate Missing CRL attribute controls whether or not a client certificate presented in the context of an LDAP SASL bind with the EXTERNAL mechanism is rejected if a suitable CRL cannot be found in the given CRL list.

When a client certificate arrives, the server tries to find a matching CRL; that is, the issuer of the CRL and the issuer of the certificate must match. If a suitable CRL is found, this attribute has no further meaning. If no suitable CRL is found, this attribute controls whether the server rejects or accepts a certificate during the SSL handshake.

If this attribute has the value 1, certificates are accepted even if a matching CRL cannot be found. If the value is 0, certificates are rejected if a matching CRL cannot be found.

The default value of this attribute is 0.

Abbreviation

LSTMCRL

LDAP Name(s)

ldapSslTolerateMissingCrl

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
LSTMCRL=1
Example (LDAP)
ldapSslTolerateMissingCrl=1

LDAP SSL Allow NYV CRL

The LDAP SSL Allow NYV CRL attribute controls whether or not a client certificate presented in the context of an LDAP SASL bind with the mechanism EXTERNAL is rejected if the corresponding CRL is not yet valid.

A CRL usually contains the lastUpdateTime field which specifies the issuing date. This issuing date can be a date in the future. During certificate checking, OpenSSL can generate a Crl-Not-Yet-Valid error if the CRL’s lastUpdateTime is not yet reached. The LDAP SSL Allow NYV CRL attribute specifies whether or not this error is ignored.

If this attribute has the value 1, certificates are accepted even if the CRL is not yet valid. If the value is 0, certificates are rejected if the CRL is not yet valid.

The default value of this attribute is 0.

Abbreviation

LSANCRL

LDAP Name(s)

ldapSslAllowNYVCrl

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
LSANCRL=1
Example (LDAP)
ldapSslAllowNYVCrl=1

LDAP SSL Allow Expired CRL

The LDAP SSL Allow Expired CRL attribute controls whether or not a client certificate presented in the context of an LDAP SASL bind with the mechanism EXTERNAL is rejected if the corresponding CRL has expired.

A CRL contains a field nextUpdateTime that specifies the date when the CA issues an updated version of the current CRL. If the nextUpdateTime is in the past, the OpenSSL provider generates a CRL-Expired error during Client-Certificate-Validation. The attribute ldapSSLAllowExpiredCrl controls whether or not this error is ignored.

If this attribute has the value 1, certificates are accepted even if the CRL has expired. If the value is 0, certificates are rejected if the CRL has expired. If the value is 0, the CRL must be updated before its expiration date. Otherwise, all certificates issued by the corresponding CA are rejected after the CRL has expired.

The default value of this attribute is 0.

Abbreviation

LSAECRL

LDAP Name(s)

ldapSslAllowExpiredCrl

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
LSAECRL=1
Example (LDAP)
ldapSslAllowExpiredCrl=1

Attributes of the LDAP SSL Configuration Subentry for the LDAP Server Personal Security Environment (PSE)

To establish an LDAP connection over the SSL/TLS layer successfully, the DirX Directory LDAP server must have a Personal Security Environment (PSE). This PSE comprises the following items:

  • The LDAP server’s own key material, which consists of the public key certificate and the private key. This key material is required for every kind of SSL connection. It is used in the context of the SSL/TLS handshake protocol for the purpose of server authentication. The key and the certificate must be enclosed in a password-protected PEM file. Usually, the LDAP client application must store the server public key certificate in a local certificate database because it might check the acceptability of the server authentication (for example for Java-based clients, the certificate must be imported into the key store of the application).

    The LDAP server’s own public key certificate and private key is stored in the LDAP Own Keymaterial PEM attribute.

  • The password that is used to protect the private key in the PEM file.

    The full pathname to the file that contains this password is stored in the LDAP PKCS12 Password File attribute.

  • The list of Certification Authority (CA) certificates the LDAP server trusts to issue user certificates, if SSL/TLS client authentication is required (see the section LDAP SSL Client Authentication Required for details). The LDAP server uses the list of CA certificates to decide whether a trusted CA issued the certificate provided by the user during the SSL/TLS handshake protocol.

    The list of CA certificates is stored in the multi-valued LDAP Trusted CA Certs attribute.

The following sections provide information about the attributes of the LDAP server PSE.

LDAP Own Keymaterial PEM

The LDAP Own Keymaterial PEM attribute stores the LDAP server’s PEM-formatted key material. The PEM input must contain:

  1. The LDAP server’s the encrypted private key

  2. The LDAP server’s public key certificate

  3. Optionally the CA certificates of the issuing CAs

in the order specified above.

The decryption password is stored in a separate file. (See the LDAP PKCS12 Password File reference page for details.)

The DirX Directory installation copies an example key material file at the location
install_path/ldap/conf/cert_ldapserver.pem.

Because certificates have a limited lifetime, they may expire and lose their validity. The DirX Directory LDAP server checks the remaining validity period of its public key certificate. If this period is less than 30 days, the LDAP server sends the dirxCertExpiry SNMP trap and issues a warning, and the LDAP server exception file contains the following entry:

SEC_error: "WARNING: Your Server-SSL key material will expire soon!! Please refresh!

The LDAP server checks the expiration date during every SSL handshake (SSL-Bind). The environment variable DIRX_LDAP_SSL_EXPIRY_WARN_TIME controls expiration alerting.

Abbreviation

LSOKP

LDAP Name(s)

ldapOwnKeymaterialPEM

Syntax (DAP)

Octet String

Example (DAP)

In the following example, the PEM-formatted content of the file cert_ldapserver.pem is stored as the LSOKP attribute value of the LDAP SSL configuration subentry using the obj modify operation of the dirxcp command:

dirxcp> modify /o=my-company/cn=ldapsslConfiguration -add
LSOKP_FILE=cert_ldapserver.pem
Example (LDAP)

In the following example, the PEM-formatted content of the file cert_ldapserver.pem is stored as the ldapOwnKeymaterialPEM attribute value of the LDAP SSL configuration subentry using the obj modify operation of the dirxcp command:

dirxcp> modify cn=ldapsslConfiguration,o=my-company -add
ldapOwnKeymaterialPEM_FILE=cert_ldapserver.pem
LDAP Trusted CA Certs

The multi-valued LDAP Trusted CA Certs attribute stores CA Certificates of those authorities that the LDAP server trusts to issue valid user certificates. The values of this attribute are plain binary X.509 CA Certificates; usually the content of a .cer/.der file. (For information how to store the file content as attribute values, see the section Attribute Values in a File in the chapter DirX Directory String Representation for DAP Binds.)

The LDAP Trusted CA Certs attribute is only used when the LDAP server supports client authentication. (See the section LDAP SSL Client Authentication Required for details.) There is no default value for this attribute.

For information about SSL/TLS client authentication and its relationship to LDAPv3, see the recommendations entitled Authentication Methods and Security Mechanisms (RFC 4513).

Abbreviation

LSTCC

LDAP Name(s)

ldapTrustedCACerts

Syntax (DAP)

Certificate

Example (DAP)

In the following example, the content of the file cacert1.der is stored as LSTCC attribute values of the LDAP SSL configuration subentry using the obj modify operation of the dirxcp command:

dirxcp> modify /o=my-company/cn=ldapsslConfiguration -add LSTCC_ANY_FILE=cacert1.der
Example (LDAP)

In the following example, the content of the file cacert1.der is stored as ldapTrustedCACerts attribute values of the LDAP SSL configuration subentry using the obj modify operation of the dirxcp command:

dirxcp> modify cn=ldapsslConfiguration,o=my-company -add ldapTrustedCACerts_ANY_FILE=cacert1.der
LDAP PKCS12 Password File

The LDAP PKCS12 Password File attribute specifies the full pathname of the file that contains the password for access to the private key of the LDAP server.This key is stored in the LDAP Own KeymaterialPEM attribute (in older DirX Directory versions, the key is stored in the LDAP Own Keymaterial attribute).The password is used during the process of creating the PEM file, for example, by using the openssl command line tool.

The format of the value specified in the password file is indicated by an optional tag that is also contained in this file.After the initial administration, it is the clear text password.Once the LDAP server has accessed the file one time, it changes the content to the encrypted format of the password.Note that the clear text password must not be longer than 160 characters and must not start with the string "{ENC}".

It is strongly recommended to protect the password file by means of the operating system so that access is only granted to the LDAP server process.

The default value of this attribute is install_path/ldap/conf/dirx_pkcs12.pwd. It is strongly recommended to use this default.

Abbreviation

LSPPF

LDAP Name(s)

Pkcs12PasswordFile

Syntax (DAP)

Directory String {1024}

Example (DAP)
(on Linux systems)
LSPPF=/opt/dirx/ldap/conf/ssl/dirx_pkcs12.pwd
(on Windows systems)
{LSPPF=C:/Program Files/DirX/Directory/ldap/conf/ssl/dirx_pkcs12.pwd}
Example (LDAP)
(on Linux systems)
Pkcs12PasswordFile=/opt/dirx/ldap/conf/ssl/dirx_pkcs12.pwd
(on Windows systems)
{Pkcs12PasswordFile=C:/Program Files/DirX/Directory/ldap/conf/ssl/dirx_pkcs12.pwd} +

Note that the forward slash (/) and the backslash (\) characters can be used as separators for Linux and Windows pathnames because the values are interpreted only by the dirxldapv3 program. Also note that curly braces must enclose a Windows pathname when it contains space characters, as shown in the example above.

Obsolete Attributes of the LDAP SSL Configuration Subentry for the LDAP Server PSE

This section provides information about the following attributes:

  • LDAP Own Keymaterial

  • LDAP Own Keymaterial File

  • LDAP Valid Root CAs File

These attributes are obsolete and are supported only for compatibility reasons. In a shadowing environment, DirX Directory V8.2B servers may store configuration subentries used by directory server instances running older DirX Directory versions.

It is not allowed to use these attributes to store key material for DirX Directory V8.2B LDAP servers and newer. The LDAP Own KeymaterialPEM and LDAP Trusted CA Certs attributes must be used to store the own key material and the trusted CA certs. If the LDAP SSL configuration subentry contains the attributes LDAP Own KeymaterialPEM and LDAP Trusted CA Certs, the LDAP server ignores the obsolete attributes LDAP Own Keymaterial, LDAP Own Keymaterial File and LDAP Valid Root CAs File.

Attributes for LDAP Server Audit Configuration

Attributes for LDAP server audit configuration are attributes of the LDAP server audit configuration subentry with the default name /CN=ldapAudit. (This name is referenced in the LDAP Audit Configuration Subentry CN (LACCN) attribute of the LDAP Server Configuration subentry.) All attributes are optional. Run the script ldap_auditcfg.cp (using dirxcp) to create a default LDAP audit configuration subentry that specifies default values for the DirX Directory LDAP server. Use the dirxcp obj operations to modify the attributes of the default LDAP audit configuration subentry or to create new LDAP audit configuration subentries. Like all other subentries, it cannot be created via LDAP. However, it can be modified via LDAP. Modifications of an LDAP audit configuration subentry become effective after a restart of the LDAP server or by performing the
dirxadm ldap audit –config operation.

LDAP Audit On

The LDAP Audit On single-valued attribute specifies whether LDAP server auditing is enabled (value TRUE) at start-up time of the LDAP server or disabled (value FALSE). This attribute is also evaluated when you perform re-configuration via the dirxadm ldap audit –config operation. The default value is FALSE.

If LDAP auditing is enabled, you can use the LDAP Audit Start Time (LASTA) and the LDAP Audit Stop Time (LASTO) attributes to specify a time period when the LDAP server records audit information. If no start time (LASTA attribute) is specified, the LDAP server starts recording of audit information at LDAP server start-up or at LDAP server re-configuration by performing the dirxadm ldap audit –config operation.

LDAP auditing can be enabled dynamically by performing the dirxadm ldap audit –start operation. LDAP auditing can be disabled dynamically by performing the dirxadm ldap audit
–stop operation. The current LDAP audit status can be displayed by performing the dirxadm ldap audit –info operation.

Abbreviation

LAON

LDAP Name(s)

ldapAuditOn

Syntax (DAP)

Boolean

Syntax (LDAP)

Boolean (LDAP Style)

Example (DAP)
LAON=TRUE LDAP auditing enabled at startup or after re-configuration
LAON=FALSE LDAP auditing disabled at startup or after re-configuration
Example (LDAP)
ldapAuditOn=TRUE LDAP auditing enabled at startup or after re-configuration
ldapAuditOn=FALSE LDAP auditing disabled at startup or after re-configuration

LDAP Audit Destination

The LDAP Audit Destination single-valued attribute specifies the initial pathname of the directory in which the LDAP server’s audit log file with the name audit.log is located. Each LDAP server opens its audit log file exclusively. Therefore, the name of the LDAP server’s configuration subentry is appended as the subdirectory name. This directory must exist before LDAP server auditing is enabled for the first time. Otherwise the LDAP server exits.

The full pathname of the LDAP server’s audit log file is in the format:

LDAP_Audit_Destination*/LDAP_Configuration_Subentry_Name/audit.log*

where LDAP_Audit_Destination is the value of the LDAP Audit Destination attribute, LDAP_Configuration_Subentry_Name is the name of the LDAP server’s current configuration subentry, and audit.log is the name of the LDAP server’s audit log file. (See the section Setting Up Multiple LDAP Servers of chapter Setting Up an LDAP Server in the Administration Guide for details on multiple LDAP servers.)

The default value of the LDAP Audit Destination attribute is install_path*/ldap/audit*. The default LDAP server’s configuration subentry name is ldapConfiguration. The default full pathname of the audit log file is install_path/ldap/audit/ldapConfiguration/audit.log.

Abbreviation

LADE

LDAP Name(s)

ldapAuditDestination

Syntax (DAP)

Directory String {32768}

Example (DAP)
(on Linux systems)
LADE=\/opt\/dirx\/ldap\/log\/audit

Assuming that the default LDAP configuration subentry is used the full pathname of the audit log file is /opt/dirx/ldap/log/audit/ldapConfiguration/audit.log.

(on Windows systems)
LADE=C:\\Program Files\\DirX\\Directory\\ldap\\log\\audit

Assuming that the default LDAP configuration subentry is used, the full pathname of the audit log file is C:\Program Files\DirX\Directory\ldap\log\audit\ldapConfiguration\audit.log.

The slash (/) and the backslash (\) character must be escaped by a backslash (\) character.
Example (LDAP)
(on Linux systems)
ldapAuditDestination=\/opt\/dirx\/ldap\/log\/audit

Assuming that the default LDAP configuration subentry is used, the full pathname of the audit log file is /opt/dirx/ldap/log/audit/ldapConfiguration/audit.log.

(on Windows systems)
ldapAuditDestination=C:\\Program Files\\DirX\\Directory\\ldap\\log\\audit

Assuming that the default LDAP configuration subentry is used, the full pathname of the audit log file is C:\Program Files\DirX\Directory\ldap\log\audit\ldapConfiguration\audit.log.

The slash (/) and the backslash (\) character must be escaped by a backslash (\) character.

LDAP Audit Size Limit

The LDAP Audit Size Limit single valued attribute specifies the maximum number of audit records of the LDAP server’s audit log file. Every LDAP operation creates one audit record. The value of 0 allows files with an unlimited number of records. The default value is 50000. The maximum number of audit records must be greater than 100. Otherwise the default value is used.

The LDAP operations logged can be specified in the attribute LDAP OP Selection. The size of one record in bytes depends on the data and the configuration settings specified in the attributes LDAP Audit Level and LDAP Audit Value Limit.

Independent of the setting of the LDAP Audit Size Limit attribute, the size of the LDAP audit log file is limited to 256 MB by default because the dirxauddecode command must be used to evaluate the binary audit log files. Due to the 32-bit I/O mechanism, dirxauddecode is not able to handle files greater than 2GB, neither as input nor as output. dirxauddecode may run into a deadlock. The administrator can specify another maximum file size than 256 MB in the LDAP Audit Max File Size attribute (See section below for details.)

If either the LDAP Audit Size Limit (maximum number of audit records) or the LDAP Audit Max File Size (maximum size of the audit file) is exceeded, the LDAP Audit Overflow attribute specifies the action to take. (See the section LDAP Audit Overflow in this chapter for details.)

Abbreviation

LASL

LDAP Name(s)

ldapAuditSizeLimit

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style)

Example (DAP)
LASL=500
Example (LDAP)
ldapAuditSizeLimit=500

LDAP Audit Max File Size

The LDAP Audit Max File Size single-valued attribute specifies the maximum file size of the LDAP server’s audit log file in MB. A value of 0 specifies an unlimited file size. Note that this behavior may lead to errors due to the 32-bit I/O mechanism when files exceed 2 GB. The default file size is 256 MB.

Additionally to the LDAP Audit Max File Size attribute, the maximum number of records specified in the LDAP Audit Size Limit attribute also limits the size of the LDAP server’s audit log file. (See section above for details.)

If either the LDAP Audit Max File Size or the LDAP Audit Size Limit is exceeded, the LDAP Audit Overflow attribute specifies the action to take. (See section LDAP Audit Overflow of this chapter for details.)

It is recommended not to specify too small limits because wrapping or moving the audit log file is rather expensive compared to writing an audit record.

The dirxauddecode command evaluates the binary LDAP audit log file and generates an ASCII output file. Due to 32-bit code and internal data representation, the dirxauddecode command cannot handle files greater than 2GB. Unfortunately, it is not possible to determine the size of the generated ASII output file from the binary audit log file. However, the generated ASCII output file is usually five to ten times greater than the binary LDAP audit log file. Therefore, it is necessary to limit the maximum file size.

Abbreviation

LAMFS

LDAP Name(s)

ldapAuditMaxFileSize

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style)

Example (DAP)
LAMFS=512
Example (LDAP)
ldapAuditMaxFileSize=512

LDAP Audit Overflow

The LDAP Audit Overflow single-valued attribute specifies the action to take when the maximum record number specified in the LDAP Audit Size Limit attribute or the file size specified in the LDAP Audit Max File Size attribute is reached. Specify one of the following values:

  • stopService - Shut down the LDAP server. An exception message is written. The LDAP server is not re-started automatically.

  • stopAudit - Cease auditing. LDAP server continues without auditing. An exception message is written.

  • wrapAround - Begin writing at the top of the log file, overwriting the old content.

  • moveFile - Close the audit file currently in use and rename it by appending the current UTC time in ZULU format and a counter from 000 to 999, for example audit.log.20010510104511Z_001. This renamed file can be evaluated by using the dirxauddecode command. A new audit log file is created. Auditing is continued using the current configuration settings.

  • multiWrap - Begin writing at the top of the next log file, overwriting the old content. The LDAP Audit Number Wraparound Files specifies the number of additional audit log files in use. (See section below for details.)

The default value is wrapAround.

Abbreviation

LAOF

LDAP Name(s)

ldapAuditOverFlow

Syntax (DAP)

Directory String {32768}

Example (DAP)
LAOF=moveFile

Closes the currently used file when LDAP Audit Size Limit is exceeded, renames the closed file to audit.log.timestamp and continues auditing in the newly created file audit.log.

Example (LDAP)
ldapAuditOverFlow=moveFile

Closes the currently used file when LDAP Audit Size Limit is exceeded, renames the closed file to audit.log.timestamp and continues auditing in the newly created file audit.log.

LDAP Audit Number Wraparound Files

The LDAP Audit Number Wraparound Files single-valued attribute specifies the number of additional audit log files in use when the LDAP Audit Overflow attribute specifies the strategy multiWrap. Specify a value greater or equal to 1. Do not specify a value greater than 99. The default value is 1 (one additional audit log file is used; that is, there are two audit log files in use: audit.log for current logging and audit.PID.01 for wrapping around).

If auditing is enabled, the LDAP server writes audit file records in the file audit.log. (See the section LDAP Audit Destination for details.) If the maximum number of audit file records (LDAP Audit Size Limit attribute) or the maximum audit file size (LDAP Audit Max File Size attribute) is exceeded, the LDAP server closes this file and renames it to audit.log.*PID.number, where PID is the process identifier of the LDAP server and number is a sequential number running from *01 through the value specified in LDAP Audit Number Wraparound Files attribute. In the event that a file with this name already exists, the LDAP server first deletes this file and then creates a new audit log file audit.log. Auditing is continued using the current configuration settings. The result is that there are LDAP Audit Number Wraparound Files audit files and the file audit.log in use.

While the LDAP server is running and the set of audit log files is in use, you must ensure that the LDAP server is able to access all these files. For example, do not move, lock, rename, or delete any of these files.

If the LDAP server is restarted for any reason and gets a previously used process identifier, it overwrites already existing files from the previous process.

Auditing is disabled automatically if any of the file operations fails.

Abbreviation

LANWF

LDAP Name(s)

ldapAuditNumWrapFiles

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style)

Example (DAP)
LANWF=9
Example (LDAP)

Currently the LDAP server uses multi-wrapping with 4 additional log files. That is, the values currently in use are:

ldapAuditOverflow=multiWrap
ldapAuditNumWrapFiles=4 (create 4 additional audit log files)

Now the administrator decides to use ten audit log files because he wants to evaluate a longer time period. So he specifies the value 9 for the additional number of audit log files:

ldapAuditNumWrapFiles=9 (create 9 additional audit log files)

The administrator restarts the LDAP server to enable the new audit configuration and to get process-specific audit log files. The LDAP server gets the PID 1308. It finds the audit log file audit.log from the just stopped LDAP server process with the PID 1352. First, the LDAP server renames this file to audit.log.20060605091435Z_001 and then creates a new audit.log file. When audit.log exceeds one of the limits, the LDAP server renames the file to audit.log.1308.01 and creates a new file audit.log. After generating audit.log.1308.09, the LDAP server starts wrapping around with audit.log.1308.01. It deletes this file before renaming audit.log. The administrator finds the following audit log files:

  • From the current running LDAP server with PID 1308:

    audit.log			(currently active audit log file)
audit.log.1308.01		(multi wrapping file 1)
audit.log.1308.02		(multi wrapping file 2)
audit.log.1308.03		(multi wrapping file 3)
audit.log.1308.04		(multi wrapping file 4)
audit.log.1308.05		(multi wrapping file 5)
audit.log.1308.06		(multi wrapping file 6)
audit.log.1308.07		(multi wrapping file 7)
audit.log.1308.08		(multi wrapping file 8)
audit.log.1308.09		(multi wrapping file 9)

    Because the LDAP server with the PID 1308 is running, the administrator must ensure write access for the LDAP server. It is prohibited to delete, lock, or rename these files. However, the administrator can copy them to another location for evaluating the files.

  • From the previously running LDAP server with PID 1352:

    audit.log.20060605091435Z_001		(last recent active audit log file)
audit.log.1352.01				(multi wrapping file 1)
audit.log.1352.02				(multi wrapping file 2)
audit.log.1352.03				(multi wrapping file 3)
audit.log.1352.04				(multi wrapping file 4)

Because the LDAP server with the PID 1352 is not running the administrator can delete or move these files.

The creation dates of the files provide a hint about the chronological sequence.

LDAP Audit Level

The LDAP Audit Level single-valued attribute specifies the level of detail of audit information logged for attribute values of the request parameters of the operations add, modify, compare, and of the LDAPv3 control parameters. This attribute is useful to limit the size of the audit information. Specify one of the following values:

  • max - The object name, all attribute types, and the attribute values are logged: If the value length exceeds the length specified in the LDAP Audit Value Limit attribute, only the length of the value is logged. If the value contains unprintable characters, dirxauddecode delivers a hex dump format of the value.

  • med - The object name, all attribute types, and the length of the attribute values are logged.

  • min - Only the object name is logged. No attribute information is logged.

The default value is med.

Abbreviation

LALE

LDAP Name(s)

ldapAuditLevel

Syntax (DAP)

Directory String {32768}

Example (DAP)

  1. The following sample output was generated by the dirxauddecode command and

    LALE=max

    dirxauddecode sample output:

    ----------------- OPERATION 000002 ----------------
  Start Time     :Thu May 10 10:47:21 2001
  Duration       :0.040 sec
  User           :
  IP             :127.0.0.1
  Op-Name        :LDAP_Con0_Op1
  ConnID         :0
  Operation      :ADD
  Version        :3
  MessageID      :2
  Entry          :cn=dummy,o=my-company
  Attributes     :2
    Attr Type    :description
    Attr Val     :thisisalongdescription
    Attr Type    :cn
    Attr Val     :dummy2
  Result Code    :65 (objectClassViolation)

----------------- OPERATION 000002 ----------------
  Start Time     :Mon May 14 13:29:16 2001
  Duration       :0.040 sec
  User           :
  IP             :127.0.0.1
  Op-Name        :LDAP_Con0_Op1
  ConnID         :0
  Operation      :ADD
  Version        :2
  MessageID      :2
  Entry          :cn=dummy,o=my-company
  Attributes     :2
    Attr Type    :description
    Attr Val(hex):(26)
   000000: 61 64 65 73 63 72 69 70 74 69 6f 6e 0a 0d 77 69 :adescription.. wi <- binary
   000010: 74 68 0a 0d 62 69 6e 61 72 79                   :th..binary
    Attr Type    :cn
    Attr Val     :dummy2
  Result Code    :65 (objectClassViolation)

  2. The following sample output was generated by the dirxauddecode command and

    LALE=med

    dirxauddecode sample output:

    ----------------- OPERATION 000002 ----------------
  Start Time     :Thu May 10 11:18:55 2001
  Duration       :0.040 sec
  User           :
  IP             :127.0.0.1
  Op-Name        :LDAP_Con0_Op1
  ConnID         :0
  Operation      :ADD
  Version        :2
  MessageID      :2
  Entry          :cn=dummy,o=my-company
  Attributes     :2
    Attr Type    :description
    Attr Val(len):22          <-- only the length is evaluated
    Attr Type    :cn
    Attr Val(len):6           <-- only the length is evaluated
  Result Code    :65 (objectClassViolation)

  3. The following sample output was generated by the dirxauddecode command and

    LALE=min

    dirxauddecode sample output:

    ----------------- OPERATION 000002 ----------------
  Start Time     :Thu May 10 11:27:57 2001
  Duration       :0.040 sec
  User           :
  IP             :127.0.0.1
  Op-Name        :LDAP_Con0_Op1
  ConnID         :0
  Operation      :ADD
  Version        :2
  MessageID      :2
  Entry          :cn=dummy,o=my-company   <- no attribute information
  Result Code    :65 (objectClassViolation)
Example (LDAP)
ldapAuditLevel=min

LDAP Audit Value Limit

The LDAP Audit Value Limit single-valued attribute specifies the maximum length of an attribute value that is logged. If the length of the attribute value exceeds this limit, only the value’s length is logged. (Like LDAP Audit Level med; see the section LDAP Audit Level for details.) The value of 0 allows the logging of values with a length of an unlimited number of bytes. The default value is 256.

Note that this attribute can greatly affect the audit log file size if clients perform modifications with large attribute values; for example, pictures.

This attribute is relevant only if the LDAP Audit Level attribute is set to max.

Abbreviation

LAVL

LDAP Name(s)

ldapAuditValueLimit

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style9

Example (DAP)
LAVL=50

If the length of the attribute value is lower than or equal to 50 bytes, the value is logged; else only the value length is logged.

Example (LDAP)
ldapAuditValueLimit=50

LDAP Audit Op Selection

The LDAP Audit Op Selection multi-valued attribute specifies a list of operations that are logged. Specify the value in the following format:

operation[;_operation_ …]

where operation is one of the following keywords:

  • all - All operations

  • ldap - All LDAP server operations except 'other' and 'unknown' operations.

  • abandon - All abandon operations

  • add - All add operations

  • bind - All bind operations

  • compare - All compare operations

  • extop - All LDAPv3 extended operations; for example, unsolicited notification or startTLS

  • moddn - All moddn operations

  • modify - All modify operations

  • other - All other unexpected client operations that cannot be identified

  • remove - All delete operations

  • search - All search operations

  • unbind - All unbind operations

  • unknown - All unexpected client operations that indicate client misbehavior, for example closing the socket layer without initiating an LDAP unbind operation or clients that send illegal PDUs etc.

The default value is all.

Note that this attribute provides an operation filter for auditing in the LDAP server at the time of writing audit records. At the time of evaluation, the dirxauddecode command also provides the facility to filter out operation types.

Abbreviation

LAOS

LDAP Name(s)

ldapAuditOpSelection

Syntax (DAP)

Directory String {40}

Example (DAP)
LAOS=ldap

Logs all LDAP operations except the other and unknown operations.

{LAOS=bind;add;search}

Logs all bind, add, and search operations.

Example (LDAP)
ldapAuditOpSelection=ldap

Logs all LDAP operations except the other and unknown operations.

{ldapAuditOpSelection=bind;add;search}

Logs all bind, add, and search operations.

LDAP Audit Erroneous Operations

The LDAP Audit Erroneous Operations single-valued attribute specifies whether or not erroneous operations are recorded in the audit log file.

Specify one of the following values:

  • 1 - The LDAP server records erroneous operations in the audit log file.

  • 0 - The LDAP server does not record erroneous operations in the audit log file.

The default value is 1.

If the administrator wants only erroneous operations to be recorded in the audit log file, he specifies the value 1 for the LDAP Audit Erroneous Operations attribute and the value none for the LDAP Audit Op Selection attribute.

Abbreviation

LAERR

LDAP Name(s)

ldapAuditErrors

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style)

Example (DAP)
LAERR=0
Example (LDAP)
ldapAuditErrors=0

LDAP Audit Internal Buffer Size

The LDAP Audit Internal Buffer Size single-valued attribute specifies whether audit information is buffered internally before it is written to the audit log file. A value of 0 specifies that all audit information is written to the audit log file when an operation was completed. A value greater than 0 specifies the buffer size in number of bytes. The audit information is written to the audit log file when the buffer size is exceeded.

The default value is 0 (no buffering of audit information).

Abbreviation

LAIBS

LDAP Name(s)

ldapAuditIntBufSize

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style)

Example (DAP)
LAIBS=1024

All internal buffered audit records are written to the audit log file when the internal buffer size of 1024 bytes is exceeded.

Example (LDAP)
ldapAuditIntBufSize=1024

All internal buffered audit records are written to the audit log file when the internal buffer size of 1024 bytes is exceeded.

LDAP Audit Encryption

The LDAP Audit Encryption single valued attribute specifies whether or not the audit log file shall be encrypted. The value of this attribute specifies the encryption mechanism. Specify one of the following values:

  • none - The audit log file is not encrypted.

  • scramble - The audit log file is encrypted using a scramble mechanism.

The default value is none (no encryption).

If scramble encryption mechanism is enabled, the file specified in the LDAP Audit Encryption Key File attribute must contain the correct key material. If the key material is incorrect or the specified file does not exist or cannot be read, the LDAP server terminates.

Abbreviation

LAE

LDAP Name(s)

ldapAuditEncryption

Syntax (DAP)

Directory String {32768}

Example (DAP)
LAE=scramble The audit log file is encrypted by using a scramble mechanism.
Example (LDAP)
ldapAuditEncryption=scramble

The audit log file is encrypted by using a scramble mechanism.

LDAP Audit Encryption Key File

The LDAP Audit Encryption Key File single-valued attribute specifies the full pathname of the file that contains the key material to encrypt the audit information to be saved in the audit log file. This key material may be a password that is used as a cipher key, a pass phrase, or a PIN that is used by Personal Security Environment to access the current encryption key. If the key material is incorrect or the specified file does not exist or cannot be read, the LDAP server terminates.

This attribute is ignored if no encryption mechanism is specified in the LDAP Audit Encryption attribute (LAE=none).

If an encryption mechanism is specified in the LDAP Audit Encryption attribute (LAE≠none) the password stored in this file must be specified in the -k option of the dirxauddecode command in order to evaluate a scrambled audit file.

The default value is install_path*/ldap/conf/dirx_audit.pwd*.

Abbreviation

LAEKF

LDAP Name(s)

ldapAuditEncrKeyFile

Syntax (DAP)

Directory String {32768}

Example (DAP)
(on Linux systems)
LAEKF=\/opt\/dirx\/ldap\/log\/audit\/key.pwd
(on Windows systems)
LAEKF=C:\\Program Files\\DirX\\Directory\\ldap\\log\\audit\\key.pwd
The slash (/) and the backslash (\) character must be escaped by a backslash (\) character.
Example (LDAP)
(on Linux systems)
ldapAuditEncrKeyFile=\/opt\/dirx\/ldap\/log\/audit\/key.pwd
(on Windows systems)
ldapAuditEncrKeyFile=C:\\Program Files\\DirX\\Directory\\ldap\\log\\audit\\key.pwd
The slash (/) and the backslash (\) character must be escaped by a backslash (\) character.

LDAP Audit Start Time

The LDAP Audit Start Time single-valued attribute specifies the time when the LDAP server starts recording of audit information. A value of none specifies no start time and does not affect the audit behavior. Specify the time in the following syntax:

DD.MM.YYYY hh:mm:ss

where

DD specifies the day of month (01 up to 31)

MM specifies the month (01 up to 12)

YYYY specifies the year

hh specifies the hour (00 up to 23)

mm specifies the minute (00 up to 59)

ss specifies the seconds (00 up to 59)

If a start time is specified the LDAP Audit On (LAON) attribute must be set to TRUE.

The default value is none (no start time specified).

Abbreviation

LASTA

LDAP Name(s)

ldapAuditStartTime

Syntax (DAP)

Directory String {32768}

Example (DAP)
{LASTA=03.05.2001 13:05:30}

LDAP server auditing is started on May 3rd, 2001 at 1:05:30 PM.

Example (LDAP)
{ldapAuditStartTime=03.05.2001 13:05:30}

LDAP server auditing is started on May 3rd, 2001 at 1:05:30 PM.

LDAP Audit Stop Time

The LDAP Audit Stop Time single-valued attribute specifies the time when the LDAP server stops recording of audit information. A value of none specifies no stop time and does not affect the audit behavior. Specify the time in the following syntax:

DD.MM.YYYY hh:mm:ss

where

DD specifies the day of month (01 up to 31)

MM specifies the month (01 up to 12)

YYYY specifies the year

hh specifies the hour (00 up to 23)

mm specifies the minute (00 up to 59)

ss specifies the seconds (00 up to 59)

The default value is none (no stop time specified).

Abbreviation

LASTO

LDAP Name(s)

ldapAuditStopTime

Syntax (DAP)

Directory String {32768}

Example (DAP)
{LASTO=03.05.2001 20:05:30}

LDAP server auditing is finished on May 3rd, 2001 at 8:05:30 PM.

Example (LDAP)
{ldapAuditStopTime=03.05.2001 20:05:30}

LDAP server auditing is finished on May 3rd, 2001 at 8:05:30 PM.

LDAP Audit Cron Job Start Time

The LDAP Audit Cron Job Start Time single-valued attribute specifies the time when the LDAP server starts a cron job that performs the action specified in the LDAP Audit Overflow attribute despite whether any of the specified limits (maximum number of records or maximum file size) has been exceeded. (See the section LDAP Audit Overflow in this chapter for details.) The LDAP Audit Cron Job Interval attribute specifies when the next cron job is started. (See the section below for details.) This attribute may be useful for example, to generate audit log files that cover a certain time frame.

The value never disables starting cron jobs. This is the default value.

The value now starts the cron job immediately.

Specify the time in the following syntax:

DD.MM.YYYY hh:mm:ss

where

DD specifies the day of month (01 up to 31)

MM specifies the month (01 up to 12)

YYYY specifies the year

hh specifies the hour (00 up to 23)

mm specifies the minute (00 up to 59)

ss specifies the seconds (00 up to 59)

If the LDAP server reads a start time in the past and a cron job interval is specified in the LDAP Audit Cron Job Interval attribute (greater than 60 seconds), the LDAP server calculates the next start time of the cron job automatically.

If a start time is specified, LDAP audit logging must be enabled; that is, the LDAP Audit On (LAON) attribute must be set to TRUE. Keep in mind that you may have disabled auditing by specifying the attributes LDAP Audit Start and / or LDAP Audit Stop Time.

The LDAP Audit Cron Job Start Time attribute has no effect on whether or not the LDAP server performs auditing.

Abbreviation

LACRS

LDAP Name(s)

ldapAuditCronStart

Syntax (DAP)

Directory String {32768}

Syntax (LDAP)

Directory String {32768} (LDAP Style)

Example (DAP)
{LACRS=03.05.2001 20:05:30}

The LDAP audit cron job is started on May 3rd, 2001 at 8:05:30 PM.

Example (LDAP)
{ldapAuditCronStart=03.05.2001 20:05:30}

The LDAP audit cron job is started on May 3rd, 2001 at 8:05:30 PM.

LDAP Audit Cron Job Interval

The LDAP Audit Cron Job Interval single-valued attribute specifies the wait time in seconds after which the LDAP server starts the next cron job that performs the action specified in the LDAP Audit Overflow attribute despite whether any of the specified limits (maximum number of records or maximum file size) has been exceeded. (See the section LDAP Audit Overflow in this chapter for details.) The LDAP Audit Cron Job Start Time attribute specifies the date when the cron job is started the first time. (See the section above for details.)

Specify a value greater than 60 seconds. The default value is 3600 seconds. If a value lower than 60 seconds is specified, the value 60 seconds is set automatically.

If the value 0 is specified, the LDAP server starts the cron job once at LDAP Audit Cron Job Start Time.

If a cron job start time and interval are specified, LDAP audit logging must be enabled; that is, the LDAP Audit On (LAON) attribute must be set to TRUE. Keep in mind that you may have disabled auditing by specifying the attributes LDAP Audit Start and / or LDAP Audit Stop Time.

The LDAP Audit Cron Job Interval has no effect on whether or not the LDAP server performs auditing.

The following example illustrates how to use cron jobs:

Suppose you want to generate audit log files, where each file contains the LDAP operations for one hour. The current time is February 28, 2006, 7:35 PM. The LDAP audit is turned on (LDAP Audit On (LAON) attribute is TRUE). Neither a LDAP Audit Start nor a LDAP Audit Stop is specified. The overflow action to take is moving the audit log file (ldapAuditOverFlow=moveFile). Specify the following values for managing the cron job:

{ldapAuditCronStart=28.02.2006 20:00:00}

ldapAuditCronInterval=3600

At 8:00 PM, the LDAP server starts the first cron job, moving the current audit log file to a file named audit.log.20060228200000Z_001 containing the audit records until 8:00 PM. One hour (3600 seconds) later, at 9:00 PM, the LDAP server again starts a new cron job, moving the current audit log file to a file named audit.log.20060228210000Z_002 containing the audit records from 8:00 PM through 9:00 PM. This action now takes place every hour, moving the current audit log file.

If, meanwhile, either the maximum number of records or the maximum file size is exceeded, the LDAP server takes the overflow action additionally.

If the LDAP server is re-started (for example, at 10:45 PM), it finds a cron job start time in the past. The LDAP server now calculates the next start time of the cron job for 11:00 PM to get audit log files containing the operations on the hour.

The results are several audit log files (preferably one per hour) that may be easier to evaluate; for example, to compare the number of operations for different time periods. Note that if the audit log file has exceeded a specified limit or the LDAP server has been re-started for any reason, there is more than one audit log file per hour.

To stop the cron job feature, change the LDAP Audit Cron Job Interval value to 0.

Abbreviation

LACRI

LDAP Name(s)

ldapAuditCronInterval

Syntax (DAP)

Integer

Syntax (LDAP)

Integer (LDAP Style)

Example (DAP)
LACRI=2400
Example (LDAP)
ldapAuditCronInterval=2400

LDAP Audit Session Tracking Enabled

The LDAP Audit Session Tracking Enabled single-valued attribute specifies whether or not the LDAP server writes the values of the session tracking control (if provided) to the LDAP audit file.

Specify a value of 1 to enable session tracking and a value of 0 to disable session tracking.

An LDAP client can include the session tracking control with its LDAP request. The session tracking control provides the following information:

  • The sessionSourceIP - The IP address of the originating LDAP client application with a maximum length of 128 characters.

  • The sessionSourceName - A description of the originating system, with a maximum length of 65536 bytes. The value might be, for example, a hostname, a distinguished name, or a web service address.

  • The formatOID - A description of the semantics of the sessionSourceName and the sessionTrackingIdentifier, with a maximum length of 1024 bytes.

  • The sessionTrackingIdentifier - The tracking identifier; for example, a username that has already been authenticated by the application that is generating the session, with an unlimited length (but it should not be longer than 65536 characters).

Control the number of bytes written to the audit log file by specifying the LDAP Audit Session Tracking InfoLen attribute.

See the Internet-Draft “LDAP Session Tracking Control” (draft-wahl-ldap-session-03.txt) for details about session tracking.

Abbreviation

LASTE

LDAP Name(s)

ldapAuditSessionTrackingEnabled

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style)

Example (DAP)
LASTE=1
Example (LDAP)
ldapAuditSessionTrackingEnabled=0

LDAP Audit Session Tracking InfoLen

The LDAP Audit Session Tracking InfoLen single-valued attribute specifies the maximum length of each field (the sessionSourceIP, the sessionSourceName, the formatOID, and the sessionTrackingIdentifier) of the session tracking control that the LDAP server writes to the audit log file. The default value is 64; that is, the LDAP server writes the initial 64 bytes of the value to the audit log file.

Set the value of the LDAP Audit Session Tracking Enabled attribute to the value 1 to enable session tracking. (See the LDAP Audit Session Tracking Enabled attribute above for details.)

Abbreviation

LASTI

LDAP Name(s)

ldapAuditSessionTrackingInfoLen

Syntax (DAP)

Integer

Syntax (LDAP)

Integer String (LDAP Style)

Example (DAP)
LASTI=125
Example (LDAP)
ldapAuditSessionTrackingInfoLen=125

Attributes of the Password Policy Subentry

Attributes for Password Policy are attributes of Password Policy subentries. These subentries administer the password policy for the directory. DirX Directory supports:

  • A global Password Policy subentry CN=GlobalPasswordPolicy:
    The attributes of this subentry specify the standard password policy for the directory. DirX Directory automatically creates this subentry with a default subtree specification so that it applies to all entries in the DIT ({SS={DEF=TRUE}}). The administrator may modify the attributes specifying the password policy using the DAP or LDAP protocol. The global Password Policy subentry applies to all entries that are not controlled by a more specific Password Policy subentry.

    The attributes specifying the format of the stored user password attributes (Password Storage Scheme, Password Storage Scheme Algorithm and Password Storage Scheme Level) can be administered only in this global Password Policy subentry. They are ignored if specified in a specific Password Policy subentry.

  • Specific Password Policy subentries:
    Specific Password Policy subentries can be created below an administrative point (ADM-Point) if the Administrative Role of the ADM-Point has the value passwordPolicySpecificArea (PPSA). As for every subentry the Subtree Specification attribute controls the relevance of the subentry. The object class of specific Password Policy subentries must contain the values subEntry and pwdPolicy.

    No innerPasswordPolicySpecificArea is supported. Furthermore the DSA rejects the coexistence of more than one specific Password Policy subentry in a particular passwordPolicySpecificArea. An object class violation error is returned.

There is exactly one Password Policy subentry for each entry in the DIT, either the global one or a specific one - if there is a specific Password Policy subentry up in the tree which is relevant for the entry in terms of the Subtree Specification.

The attributes of the Password Policy subentries control how passwords are used and administered. They provide a set of rules that ensures that

  • Passwords meet construction requirements to prevent users from choosing easy-to-guess passwords (attributes: Password Check Syntax, Password Minimum Length, Password Maximum Length, Password Minimum Lower Case Characters, Password Minimum Upper Case Characters, Password Minimum Digits, Password Minimum Special Character, Password Exclude Name)

  • The re-use of old passwords is restricted (attribute: Password In History)

  • Users change their password periodically (attributes: Password Minimum Age, Password Maximum Age, Password Expire Warning, Password Grace Login Limit)

  • Accounts are locked out after failed logins (attributes: Password Lockout, Password Lockout Duration, Password Failure Counter Interval, Password Maximum Failure, Password Must Change)

  • Login information is stored at the user’s entry, for example the number of failed logins (attribute: Password Store Login Info)

  • Particular users can be excluded from the password policy rules by means of the Password Policy Exclusions attribute

They also provide information about level and algorithm of password hashing (attributes: Password Storage Scheme, Password Storage Scheme Algorithm, Password Storage Scheme Level). The DSA evaluates these attributes only if they are contained in the global Password Policy subentry. Adding them to specific Password Policy subentries has no effect on the storage of user passwords.

To support the rules for the restricted re-use of old passwords, the password expiration, and the account lockout each user entry provides a set of directory operational password policy attributes. See section titled Password Policy Attributes for details.

The DSA creates the global Password Policy subentry under the root DSE with the DN /cn=globalPasswordPolicy if this subentry does not exist at start up time of the DSA. This subentry contains the following attributes specifying the default password policy:

  • Password Check Syntax (pwdCheckQuality, pwdCheckSyntax, PPCHSY, value: 0 – Syntax checking disabled)

  • Password Minimum Length (pwdMinLength, PPMINL, value: 0)

  • Password Maximum Length (pwdMaxLength, PPMAXL, value: 0)

  • Password Minimum Lower Case Character (pwdMinLowerCase, PPMINLO, value: 0)

  • Password Minimum Upper Case Character (pwdMinUpperCase, PPMINUP, value: 0)

  • Password Minimum Digit (pwdMinDigit, PPMINDI, value: 0)

  • Password Minimum Special Character (pwdMinSpecialChar, PPMINS, value: 0)

  • Password Exclude Name (pwdExcludeName, PPEXCNA, value: 0)

  • Password In History (pwdInHistory, PPINHI, value: 0)

  • Password Minimum Age (pwdMinAge, PPMINA, value: 0)

  • Password Maximum Age (pwdMaxAge, PPMAXA, value: 0)

  • Password Expire Warning (pwdExpireWarning, PPEXWA, value: 0)

  • Password Grace Login Limit (pwdGraceLoginLimit, PPGRLL, value: 0)

  • Password Lockout (pwdLockout, PPLOCK, value: FALSE)

  • Password Lockout Duration (pwdLockoutDuration, PPLODU, value: 0)

  • Password Maximum Failure (pwdMaxFailure, PPMAXF, value: 0)

  • Password Failure Counter Interval (pwdFailureCountInterval, PPFCIN, value: 0)

  • Password Must Change (pwdMustChange, PPMUCH, value: FALSE)

  • Password Store Login Info (pwdStoreloginInfo, PPSTLI, value: 0)

  • Password Storage Scheme (pwdStorageScheme, PPSTSC, value: ssha – User password values are hashed according to salted SHA)

  • Password Storage Scheme Algorithm (pwdStorageSchemeAlgo, PPSTSA, value: SHA-256)

  • Password Storage Scheme Level (pwdStorageSchemeLevel, PPSTSL, value: 2)

  • Password Policy Exclusions (pwdExclusions, PPEXCL, no value)

Use the dirxcp obj operations to modify the attributes of the global Password Policy subentry or to create and modify subtree specific Password Policy subentries. Modifications of a Password Policy subentry become effective immediately.

The following sections provide information about the attributes of password policy subentries.

Password Check Syntax

The Password Check Syntax attribute is a single-valued attribute specifying how the password syntax is checked. Specify one of the following values:

  • 0 - Syntax checking is disabled.

  • 1 - Syntax checking is enabled for password values in clear text format. If the server is unable to check the syntax (due to a hashed password) the password is accepted.

  • 2 - Syntax checking is enabled for password values in clear text format. If the server is unable to check the syntax the password is rejected. (That is only passwords in clear text format are accepted if the syntax is checked successful.)

The default value is 0.

The value of this attribute affects checking with respect to the following attributes:

  • Password Minimum Length

  • Password Maximum Length

  • Password Minimum Lower Case Character

  • Password Minimum Upper Case Character

  • Password Minimum Digit

  • Password Minimum Special Character

  • Password Exclude Name

  • Password In History

If another value than described above is specified the DSA ignores the value of this attribute and establishes the default behavior.

Abbreviation

PPCHSY

LDAP Name(s)

pwdCheckQuality, pwdCheckSyntax

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
PPCHSY=2
Example (LDAP)
pwdCheckQuality=2

Password Minimum Length

The Password Minimum Length attribute is a single-valued attribute specifying the minimum number of octets that must be used in a password when syntax checking is enabled (that is the Password Check Syntax attribute value is 1 or 2). (See section titled Password Check Syntax above for details.)

The default value is 0 (no minimum password length is enforced).

Abbreviation

PPMINL

LDAP Name(s)

pwdMinLength

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
PPMINL=6
Example (LDAP)
pwdMinLength=6

Password Maximum Length

The Password Maximum Length attribute is a single-valued attribute specifying the maximum number of octets that can be used in a password when syntax checking is enabled (that is the Password Check Syntax attribute value is 1 or 2). (See section titled Password Check Syntax above for details.)

The default value is 0. The maximum password length is not restricted by the password policy. However it is restricted to 128 octets by the X.520 standard.

If a value lower than Password Minimum Length or the sum of Password Minimum Lower Case Character, Password Upper Case Character, Password Minimum Digit and Password Minimum Special Character is specified, the DSA ignores the value of this attribute and establishes the default behavior.

Abbreviation

PPMAXL

LDAP Name(s)

pwdMaxLength

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
PPMAXL=24
Example (LDAP)
pwdMaxLength=26

Password Minimum Lower Case Character

The Password Minimum Lower Case Character attribute is a single-valued attribute specifying the minimum number of lowercase characters (a-z) that must be used in a password when syntax checking is enabled (that is, when the Password Check Syntax attribute value is 1 or 2). (See the section Password Check Syntax for details.)

The default value is 0 (no minimum number of lowercase characters is enforced).

Abbreviation

PPMINLO

LDAP Name(s)

pwdMinLowerCase

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
PPMINLO=2
Example (LDAP)
pwdMinLowerCase=2

Password Minimum Upper Case Character

The Password Minimum Upper Case Character attribute is a single-valued attribute specifying the minimum number of uppercase characters (A-Z) that must be used in a password when syntax checking is enabled (that is, when the Password Check Syntax attribute value is 1 or 2). (See the section Password Check Syntax for details.)

The default value is 0 (no minimum number of uppercase characters is enforced).

Abbreviation

PPMINUP

LDAP Name(s)

pwdMinUpperCase

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
PPMINUP=2
Example (LDAP)
pwdMinUpperCase=2

Password Minimum Digit

The Password Minimum Digit attribute is a single-valued attribute specifying the minimum number of digits (0-9) that must be used in a password when syntax checking is enabled (that is, when the Password Check Syntax attribute value is 1 or 2). (See the section Password Check Syntax for details.)

The default value is 0 (no minimum number of digits is enforced).

Abbreviation

PPMINDI

LDAP Name(s)

pwdMinDigit

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
PPMINDI=1
Example (LDAP)
pwdMinDigit=1

Password Minimum Special Character

The Password Minimum Special Character attribute is a single-valued attribute specifying the minimum number of special characters (any octet outside the range of A-z and 0-9) that must be used in a password when syntax checking is enabled (that is, when the Password Check Syntax attribute value is 1 or 2). (See the section Password Check Syntax for details.)

The default value is 0 (no minimum number of special characters is enforced).

Abbreviation

PPMINS

LDAP Name(s)

pwdMinSpecialChar

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
PPMINS=2
Example (LDAP)
pwdMinSpecialChar=2

Password Exclude Name

The Password Exclude Name attribute is a single-valued attribute specifying whether the password is rejected if it has a substring that matches the user’s name. The rule is checked when syntax checking is enabled (that is, when the Password Check Syntax attribute value is 1 or 2). (See the section Password Check Syntax for details.)

Specify one of the following values:

  • 0 - No restriction.

  • 1 - Passwords are rejected if the value is a case-ignored substring of the user’s distinguished name (DN) in LDAP format; for example, the user cn=abele,ou=sales,o=my-company cannot set his password to Bele,Ou.

  • 2 - Passwords are rejected if the user’s relative distinguished name (RDN) is a case-ignored substring of the password; for example, the user cn=abele,ou=sales,o=my-company cannot set his password to Abele1.

  • 3 - Passwords are rejected if either the condition for value 1 or the condition for value 2 applies.

The default value is 0.

Abbreviation

PPEXCNA

LDAP Name(s)
pwdExcludeName
Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
PPEXCNA=2
Example (LDAP)
pwdExcludeName=3

Password In History

The Password In History attribute is a single-valued attribute specifying the number of most recently used passwords that are prohibited for reuse when syntax checking is enabled (that is, when the Password Check Syntax attribute value is 1 or 2). (See the section Password Check Syntax for details.). The most recently used password values are stored in the directory operational Password History attribute.

The default value is 0, which permits any previously used password to be reused.

The maximum supported number is 24. If a number greater than 24 is specified, the DSA ignores the value of this attribute and establishes the default behavior.

Abbreviation

PPINHI

LDAP Name(s)

pwdInHistory

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
PPINHI=5
Example (LDAP)
pwdInHistory=5

Password Minimum Age

The Password Minimum Age attribute is a single-valued attribute specifying the number of seconds that must elapse between modifications to the password. The default value is 0 (seconds).

Abbreviation

PPMINA

LDAP Name(s)

pwdMinAge

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
PPMINA=86400 (The password must remain unchanged for at least one day.)
Example (LDAP)
pwdMinAge=86400

Password Maximum Age

The Password Maximum Age attribute is a single-valued attribute specifying the number of seconds after which a password expires. The default value is 0 (the password never expires).

If a password maximum age is specified, we recommend disabling LDAP backend sharing and setting the LDAP Unbind delay time to 0 to avoid successful binds using an expired password. (See the sections LDAP Unbind Delay Time and LDAP Backend Sharing in this chapter for details.)

Abbreviation

PPMAXA

LDAP Name(s)

pwdMaxAge

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
PPMAXA=8640000 (The password expires after 100 days.)
Example (LDAP)
pwdMaxAge=3600

Password Expire Warning

The Password Expire Warning attribute is a single-valued attribute specifying when the DSA starts to return password expiration warning messages to an authenticating user. A successful bind operation returns the warning message "Warning: password expires in n seconds." where n specifies the number of seconds after which the user’s password will expire. If a value n greater than 0 is specified, the password expires n seconds after sending the first expiration warning.

The default value 0 specifies that no warnings are returned.

Abbreviation

PPEXWA

LDAP Name(s)

pwdExpireWarning

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
PPEXWA=6000
Example (LDAP)
pwdExpireWarning=6000

Password Grace Login Limit

The Password Grace Login Limit attribute is a single-valued attribute specifying the maximum number of times an expired password can be used to authenticate. A successful bind operation due to the Password Grace Login Limit attribute returns the warning message "Warning: n grace logins left." where n specifies the number of remaining grace logins.

The default value is 0 (authentication fails when using an expired password).

Abbreviation

PPGRLL

LDAP Name(s)

pwdGraceLoginLimit

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
PPGRLL=3
Example (LDAP)
pwdGraceLoginLimit=3

Password Lockout

The Password Lockout attribute is a single-valued attribute specifying whether the password can be used to authenticate after a specific number of consecutive failed bind attempts. The maximum number of consecutive failed bind attempts is specified in the Password Maximum Failure (PPMAXF, pwdMaxFailure) attribute. The time period within which the failed logins are counted is specified in the Password Failure Counter Interval (PPFCIN, pwdFailureCountInterval) attribute. The lockout duration is specified in the Password Lockout Duration (PPLODU, pwdLockoutDuration) attribute.

Specify one of the following values for the Password Lockout attribute:

  • TRUE - The password cannot be used to authenticate after pwdMaxFailure number of consecutive failed bind attempts. (Password lockout policy is enabled.)

  • FALSE - The password can be used to authenticate after pwdMaxFailure number of consecutive failed bind attempts. (Password lockout policy is disabled.)

The default value is FALSE.

If a password lockout policy is enabled, we recommend disabling LDAP backend sharing and setting the LDAP Unbind delay time to 0 to avoid successful binds using a locked-out account. (See the sections LDAP Unbind Delay Time and LDAP Backend Sharing in this chapter for details.)

Abbreviation

PPLOCK

LDAP Name(s)

pwdLockout

Syntax (DAP)

Boolean

Syntax (LDAP)

Boolean

Example (DAP)
PPLOCK=TRUE
Example (LDAP)
pwdLockout=TRUE

Password Lockout Duration

The Password Lockout Duration attribute is a single-valued attribute specifying the number of seconds during which a password cannot be used to authenticate after a specific number of consecutive failed bind attempts. This attribute is evaluated only if the password lockout policy is enabled. (The Password Lockout attribute value is TRUE.)

The default value is 0. (The password cannot be used to authenticate until unlocked by an administrator.)

An administrator can unlock an account at any time. (See the Password Locked Time attribute for information on how to unlock a password.)

Abbreviation

PPLODU

LDAP Name(s)

pwdLockoutDuration

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
PPLODU=1200
Example (LDAP)
pwdLockoutDuration=1200

Password Maximum Failure

The Password Maximum Failure attribute is a single-valued attribute specifying the number of consecutive failed bind attempts after which the password cannot be used to authenticate. This attribute is evaluated only if the password lockout policy is enabled. (The Password Lockout attribute value is TRUE.)

The default value is 0. (Disables the password lockout policy.)

Abbreviation

PPMAXF

LDAP Name(s)

pwdMaxFailure

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
PPMAXF=3
Example (LDAP)
pwdMaxFailure=3

Password Failure Counter Interval

The Password Failure Counter Interval attribute is a single-valued attribute specifying the number of seconds after which the password failures are purged from the failure counter (the DSA operational Password Failure Time attribute) even though no successful authentication was performed. This attribute is evaluated only if the password lockout policy is enabled. (The Password Lockout attribute value is TRUE.)

The default value 0 specifies that the failure counter is only reset by a successful authentication.

Abbreviation

PPFCIN

LDAP Name(s)

pwdFailureCountInterval

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
PPFCIN=600
Example (LDAP)
pwdFailureCountInterval=600

Password Must Change

The Password Must Change attribute is a single-valued attribute specifying whether the user must change his password when he binds to the directory for the first time after an administrator has set or reset his password. Specify one of the following values:

  • TRUE - The user must change his password after an administrator has set or reset the password.

  • FALSE - The user is not required to change his password.

Whether an administrator has set or reset a password is saved in the directory operational Password Reset (pwdReset, PPORSET) attribute of each entry. (See the Password Reset (pwdReset, PPORSET) attribute for details.)

The default value is FALSE.

Abbreviation

PPMUCH

LDAP Name(s)

pwdMustChange

Syntax (DAP)

Boolean

Syntax (LDAP)

Boolean

Example (DAP)
PPMUCH=TRUE
Example (LDAP)
pwdMustChange=TRUE

Password Store Login Info

The Password Store Login Info attribute is a single-valued attribute specifying login-related information (bind operation-related information) stored at the user’s entry. Specify one of the following values:

  • 0 - No information about logins is stored.

  • 1 - The number of failed logins is stored in the user’s entry. If a bind operation fails due to an Invalid Credentials error, the value of the user entry’s Password Number of Failed Logins attribute is incremented. (See the Password Number of Failed Logins attribute (pwdNumberOfFailedLogins, PPONOFL) for details.)

  • 2 - The time of the most recent successfully-performed bind operation is stored in the user entry’s Password Last Login Time attribute. (See the Password Last Login Time attribute (pwdLastLoginTime, PPOLLOT) for details.)

  • 3 - The number of failed logins and the time of the most recent successfully-performed bind operation are stored at the user’s entry.

The default value is 0.

If a value other than the values described here is specified, the DSA ignores the value of this attribute and establishes the default behavior.

Abbreviation

PPSTLI

LDAP Name

pwdStoreloginInfo

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
PPSTLI=2
Example (LDAP)
pwdStoreloginInfo=2

Password Storage Scheme

The Password Storage Scheme attribute is a single-valued attribute specifying the algorithm used to hash user password values. (See also Password Encryption in User Password.) Specify one of the following values (case-insensitive):

  • sha - A SHA algorithm is used to hash user password values.

  • ssha - A Salted SHA algorithm is used to hash user password values.

  • plain - User password values are not hashed.

The default value is ssha.

If a value other than plain is specified, specify the level of password hashing in the Password Storage Scheme Level attribute.

If the value plain is specified and the user password of an entry is stored in hashed format - for example, the entry has been created by an LDIF file import - this entry cannot bind using the clear text password. To perform the bind successfully, the Password Storage Scheme attribute must be set to sha or ssha and the Password Storage Scheme Level attribute must be set at least to 1 (Basic Level).

The SSHA format is the most secure format because the SHA algorithm is applied to a concatenation of the current user password value and a random string.

In order to be able to compare two user password values, one of the values must be a clear text value. It is theoretically impossible to compare two values that are salted hashed or hashed with different algorithms. In these cases, the following operations always fail and return an Unwilling to Perform error:

  • obj compare (-attribute option)

  • obj modify (-changeattr, -removeattr, -replaceattr options)

  • obj search (-filter option)

These operations work if one of the user password values (usually the value in the request) is specified in clear text format, regardless of the hashing scheme and algorithm used for the stored user password value.

The DSA evaluates this attribute only if it is contained in the global Password Policy subentry. It ignores this attribute if it is contained in specific Password Policy subentries.

Abbreviation

PPSTSC

LDAP Name(s)

pwdStorageScheme

Syntax (DAP)

Directory String {32768}

Syntax (LDAP)

Directory String {32768}

Example (DAP)
PPSTSC=sha
Example (LDAP)
pwdStorageScheme=sha

Password Storage Scheme Algorithm

The Password Storage Scheme Algorithm attribute is a single-valued attribute specifying the hash algorithm that the DSA uses to hash a user password if the value of the Password Storage Scheme attribute is not plain. Specify one of the following values:

  • 1 - The DSA uses the algorithm SHA-1 for hashing the user password.This action results in user password values starting with the tag {SHA1}.

  • 224 - The DSA uses the algorithm SHA-224 for hashing the user password.This results in user password values starting with the tag {SHA224}.

  • 256 - The DSA uses the algorithm SHA-256 for hashing the user password.This action results in user password values starting with the tag {SHA256}.

  • 384 - The DSA uses the algorithm SHA-384 for hashing the user password.This action results in user password values starting with the tag {SHA384}.

  • 512 - The DSA uses the algorithm SHA-512 for hashing the user password.This action results in user password values starting with the tag {SHA512}.

The default value is 1. (See the section Password Encryption in the User Password section for details.)

The DSA evaluates this attribute only if it is contained in the global Password Policy subentry. It ignores this attribute if it is contained in specific Password Policy subentries.

Note: Do not use a value other than 1 if the password is going to be used by a DSA that is older than version DirX Directory 8.3.

Abbreviation

PPSTSA

LDAP Name(s)

pwdStorageSchemeAlgo

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
PPSTSA=1
Example (LDAP)
pwdStorageSchemeAlgo=1

Password Storage Scheme Level

The Password Storage Scheme Level attribute is a single-valued attribute specifying the level of password hashing if the value of the Password Storage Scheme attribute is not plain. Specify one of the following values:

  • 1 (Basic Level) - The hashing of a stored password is taken into account when performing an operation; for example, when evaluating a filter in a search operation.

  • 2 (Read Level) - When a password in clear text format is read, it is converted into the corresponding hash format before returning it to the requestor or writing it into an LDIF file.

  • 3 (Read and Write Level) - When a password in clear text format is to be written into the database, it is converted into the corresponding hash format before saving it.

The default value is 2. (See section titled Password Encryption in the User Password section for details.)

The DSA evaluates this attribute only if it is contained in the global Password Policy subentry. It ignores this attribute if it is contained in specific Password Policy subentries.

Abbreviation

PPSTSL

LDAP Name(s)

pwdStorageSchemeLevel

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
PPSTSL=3
Example (LDAP)
pwdStorageSchemeLevel=3

Password Attribute Type

The Password Attribute Type attribute is a single-valued attribute specifying the password attribute type to which the password policy is applied. The default value is the OID of the userPassword attribute type (2.5.4.35). The DSA ignores the value of this attribute. It always applies the specified policies to the userPassword attribute type.

Abbreviation

PPATTR

LDAP Name(s)

pwdAttribute

Syntax (DAP)

Object Identifier

Syntax (LDAP)

Object Identifier (LDAP style) in dotted notation.

Example (DAP)
PPATTR=2.5.4.35
Example (LDAP)
pwdAttribute=2.5.4.35

Password Allow User Change

The Password Allow User Change attribute is a single-valued attribute specifying whether a user can change his own password. Specify one of the following values:

  • TRUE - The user can change his own password.

  • FALSE - The user cannot change his own password.

The default value is TRUE.

The DSA does not support this attribute. Access control can be used to allow or deny a user to change his password.

Abbreviation

PPAUCH

LDAP Name(s)

pwdAllowUserChange

Syntax (DAP)

Boolean

Syntax (LDAP)

Boolean

Example (DAP)
PPAUCH=FALSE
Example (LDAP)
pwdAllowUserChange=FALSE

Password Safe Modify

The Password Safe Modify attribute is a single-valued attribute specifying whether or not the old password value must be specified when changing the password. Specify one of the following values:

  • TRUE - The old password value must be specified.

  • FALSE - The old password value does not need to be specified.

The default value is FALSE.

The DSA does not support this attribute.

Abbreviation

PPSAMO

LDAP Name(s)

pwdSafeModify

Syntax (DAP)

Boolean

Syntax (LDAP)

Boolean

Example (DAP)
PPSAMO=TRUE
Example (LDAP)
pwdSafeModify=TRUE

Password Policy Exclusions

The Password Policy Exclusions attribute is a multi-valued attribute specifying distinguished names of entries. The distinguished names can point to leaves or nodes. Password Policy checks concerning Password Aging and Account Locking are not performed during an operation if the target entry’s DN matches or contains one of the Password Policy Exclusions values. The target entry of an operation is the bind requestor or the DN of an entry whose userPassword is to be modified.

The default is no value.

Notes:

  • The Password Storage Scheme (see attributes Password Storage Scheme and Password Storage Scheme Level above) does not depend on Password Policy Exclusions; that is, the userPassword of all users is treated in the same way with respect to the storage scheme.

Abbreviation

PPEXCL

LDAP Name(s)

pwdExclusions

Syntax (DAP)

Distinguished Name

Syntax (LDAP)

Distinguished Name

Example (DAP)
{PPEXCL={/O=My-Company/CN=Admin}}

If this attribute value is found in a password policy subentry, the entry named /O=My-Company/CN=Admin is not subject to password policy rules.

Example (LDAP)
{pwdExclusions={ou=development,o=my-company}}

If this attribute value is found in the password policy subentry, all entries located below the organizational unit “development” are not subject to password policy rules.

Attributes of the Proxied Authorization Control Subentry

The Proxied Authorization Control subentry stores the policy for operations that carry the Proxied Authorization control according to RFC 4370.

The Proxied Authorization control provides a mechanism for specifying an authorization identity on a per-operation basis. It allows an LDAP client to request that an operation be performed under a given authorization identity instead of under the current authorization identity associated with the session. This mechanism enables a user to perform operations efficiently on behalf of multiple users without the need to invoke an individual bind operation for each user. The authorization identity (authID) is the key data for the DirX Directory DSA’s access control decision operation in the context of each operation. As a result, proper administration of the privilege to use the Proxied Authorization control is very important.

Proxied authorization uses a single sign-on model of trust: the LDAP client (typically a service-related application) uses a method outside the scope of LDAP (for example HTTPS) to authenticate the user. In subsequent LDAP accesses to the directory service, the LDAP client uses the Proxied Authorization control to transport the authID - which must be represented in DN format - to the DirX Directory DSA. The DSA grants the proxy request 1) if the LDAP client is authenticated and 2) the policy stored in the Proxied Authorization subentry permits the LDAP client to present the specified authID.

There are two entities associated with a Proxied Authorization control:

  • The proxyControlOwner - the user who has performed the bind operation that initiates the session in whose context the operation that contains the Proxied Authorization control occurs

  • The proxiedUser - the user named in the Proxied Authorization control on whose behalf the operation is to be performed

Here is an example of a Proxied Authorization control as it might be sent along with an LDAP request:

Type:        2.16.840.1.113730.3.4.18
Criticality: TRUE
Value:       “dn:cn=abele,ou=sales,o=my-company”

The "Type" argument specifies the OID that identifies the control as a Proxied Authorization control, the "Criticality" value is mandatory, and the "Value" argument specifies the proxiedUser.

The Proxied Authorization Control subentry provides two attributes for defining Proxied Authorization control policies:

  • The proxyControlOwner attribute, which specifies who (the entity that performs the bind operation to the directory service) is granted proxy rights.

  • The subtreeSpecification attribute, which defines for whom the proxyControlOwner can act as a proxy.

If a request carries the a Proxied Authorization control and the DSA recognizes by the policy stored in the subentry that

  • The user who originated the bind is not a valid proxyControlOwner or

  • The proxiedUser is outside the range of valid authIDs for the particular proxyControlOwner

The DSA returns an error result that is mapped onto the LDAP error code 123 for that particular request.

A Proxied Authorization Control subentry can be created below an administrative point (ADM-Point) if the Administrative Role of the ADM-Point has the value ProxyAuthenticationSpecificArea (PASA).

Proxy Control Owner

The Proxy Control Owner attribute is a multi-valued, mandatory attribute that specifies distinguished names (DNs) of entries to be granted proxy rights via Proxied Authorization controls. The distinguished names must point to leaf entries; that is, every entry that is granted proxy rights must be specified individually.

If there is no Proxied Authorization Control subentry, no entry is granted proxy rights.

Abbreviation

PCO

LDAP Name

proxyControlOwner

Syntax (DAP)

Distinguished Name

Syntax (LDAP)

Distinguished Name (LDAP style)

Example (DAP)
PCO={/O=My-Company/CN=Admin}

If this attribute value is found in the Proxied Authorization Control subentry, the entry named /O=My-Company/CN=Admin is the only entry that is granted proxy rights.

Example (LDAP)
proxyControlOwner={cn=manager,o=my-company};{cn=admin,o=my-company}

If these attribute values are found in the Proxied Authorization Control Subentry, the two entries cn=manager,o=my-company and cn=admin,o=my-company are the only entries that are granted proxy rights.

Subtree Specification

The Proxied Authorization Control subentry inherits the Subtree Specification attribute from its superior Objectclass subentry as a mandatory attribute. The Subtree Specification attribute restricts the range of authIDs that the entry specified in the Proxy Control Owner attribute is granted to use. The entire range of Subtree Specification values can be used to describe this restriction. (See Subtree-Specification in section X.500 Directory Operational Attributes above and in chapter DirX Directory String Representation for DAP Binds for details).

The following examples illustrate the effects of the Subtree Specification attribute values of this subentry.

Examples (DAP)
SS={DEF=TRUE}

The entry specified by the Proxy Control Owner attribute can act as a proxy for every entry in the entire subtree below the Administrative Point.

SS={BAS={/OU=Sales}}

If the ADM-Point is /O=my-company, the entry specified by the proxyControlOwner attribute can act as a proxy for every entry in subtree below /O=my-company/OU=sales.If the Proxy Control Owner attempts to present, for example, the authID “dn:cn=mayer,o=development,o=my-company” as a proxiedUser in a Proxied Authorization control request, the operation fails and returns the error code 123.

SS={BAS={/OU=Sales}, SF={ITEM=IPER}}

This example represents an further restriction of SS={BAS={/OU=Sales}.Here the Proxy Control Owner can act as a proxy only for every inetOrgPerson entry in the subtree below /O=my-company/OU=sales.

X.500 Directory Operational Attributes

Directory operational attributes represent control information, such as access control information, or other information provided by the Directory, such as when an entry was modified.These attributes can be viewed and manipulated using dirxcp.

Attributes for Access Control

The following directory operational attributes are used to grant or deny users access to directory information.

Access Control Scheme

The Access Control Scheme attribute specifies the means by which access to the Directory information and potentially to access rights themselves may be controlled within an access control-specific area.The attribute is placed in the administrative entry for the corresponding administrative point.Only administrative entries for access control-specific points contain the Access Control Scheme attribute.

The Access Control Scheme attribute can have the following values:

  • BACS basic-access-control scheme

  • SACS simplified-access-control scheme

Abbreviation

ACS

Syntax (DAP)

Object Identifier

Example (DAP)
ACS=SACS
ACS=BACS

Entry ACI

The Entry ACI attribute specifies the local access control requirements applicable to a single entry. (See ACI-Item syntax for details.)

Abbreviation

EACI

Syntax (DAP)

ACI-Item

Example (DAP)
EACI={ID=Authenticated user can Modify his passwords,
      PR=254,
      AL={BL={L=SIMPLE}},
      UF={UC={TH=TRUE},
          UP={PI={E=TRUE},
             GAD=grantModify};
             {PI={AT=UP,
                  AAV=UP},
              GAD=grantAdd+grantRemove}}}

Prescriptive ACI

The Prescriptive ACI attribute is an attribute of a subentry that specifies access control information applicable to entries within a subentry´s scope. (See ACI-Item syntax for details.)

Abbreviation

PACI

Syntax (DAP)

ACI-Item

Example (DAP)
PACI={ID=Some authenticated users can Read all entries,
      PR=50,
      AL={BL={L=SIMPLE}},
      UF={UC={N={DN={/O=My-Company/CN=admin}};
                {DN={/O=My-Company/OU=Sales/CN=Mayer}};
                {DN={/O=My-Company/OU=Manufacturing/CN=Ketzer}},
              SUB={BAS={/O=My-Company/OU=Development}}},
          UP={PI={E=TRUE},
              GAD=grantRead+grantBrowse+grantReturnDN};
             {PI={AUATV=TRUE},
              GAD=grantRead+grantCompare+grantFilterMatch};
             {PR=51,
              PI={AT=UP},
              GAD=denyRead+denyFilterMatch}}};
     {ID=Authenticated users can Modify their passwords,
      PR=100,
      AL={BL={L=SIMPLE}},
      UF={UC={TH=TRUE},
          UP={PI={E=TRUE},
             GAD=grantModify};
             {PI={AT=UP,
                  AAV=UP},
              GAD=grantAdd+grantRemove}}};
     {ID=The administrator has additional permissions,
      PR=254,
      AL={BL={L=SIMPLE}},
      UF={UC={N={DN={/O=My-Company/CN=admin}}},
          UP={PI={E=TRUE},
              GAD=grantAdd+grantRemove+grantModify};
             {PI={AUATV=TRUE},
              GAD=grantAdd+grantRemove};
             {PI={AT=CRN;CRT;MN;MT},
              GAD=grantRead}}
      }

Subentry ACI

The Subentry ACI attribute is an attribute of an administrative point that specifies access control information applicable to each of the subentries associated with the administrative point. (See ACI-Item syntax for details.)

Abbreviation

SACI

Syntax (DAP)

ACI-Item

Example (DAP)
SACI={ID=admin: enable handling of subentries,
      PR=254,
      AL={BL={L=SIMPLE}},
      UF={UC={N={DN={/O=My-Company/CN=admin}}},
          UP={PI={E=TRUE},
              GAD=grantAdd+grantRemove+grantModify};
             {PI={AUATV=TRUE},
              GAD=grantAdd+grantRemove};
             {PI={AT=CRN;CRT;MN;MT},
              GAD=grantRead}}
      }

Attributes of Information Framework

The following directory operational attributes are used for controlling aspects of the DirX Directory information framework.

Administrative Role

The Administrative Role attribute specifies the administrative role of an entry representing an administrative point; that is, the type of an administrative point. It is also used to regulate the subentries permitted to be subordinate to an administrative entry.

Valid values for the Administrative Role attribute are:

  • AA autonomous area

  • ACSA access control specific area

  • ACIA access control inner area

  • CAIA collective attribute inner area

  • CASA collective attribute specific area

  • PASA proxy authorization specific area

  • PPSA password policy specific area

  • SASA subschema administrative area

Abbreviation

AR

Syntax (DAP)

Object Identifier

Example (DAP)
AR=AA
{AR=AA;ACSA;SASA}

Collective Exclusions

The Collective Exclusions attribute specifies the collective attribute types that should be excluded from an entry. The values are object identifiers for the collective attributes that are to be excluded. The value XACA (OID: 2.5.18.0) excludes all collective attributes from an entry.

Abbreviation

CE

Syntax (DAP)

Object Identifier

Example (DAP)
CE=XACA				excludes all collective attributes
{CE=LC;TTIC;TXNC}	excludes collective locality, ttx-terminal-
    				identifier and telex-number

Creators Name

The Creators Name attribute specifies the distinguished name of the Directory user that created an entry.

Abbreviation

CRN

Syntax (DAP)

Distinguished-Name

Example (DAP)
CRN={/O=My-Company/CN=Administrator}

Creation Time

The Creation Time attribute specifies the time that an entry was created.

Abbreviation

CRT

Syntax (DAP)

Generalized-Time

Example (DAP)
CRT=19970101123000Z

DirX Directory Entry UUID

The DirX Directory Entry UUID attribute specifies a unique identifier that the DirX Directory DSA creates at entry creation time.

Abbreviation

DUUID

Syntax (DAP)

PrintableString

Example (DAP)
DUUID= 1b005b45-2ace-4de8-9ff1-b2b25b0b3d45

Modifiers Name

The Modifiers Name attribute specifies the distinguished name of the Directory user that last modified an entry.

Abbreviation

MN

Syntax (DAP)

Distinguished-Name

Example (DAP)
MN={/O=My-Company/CN=Administrator}

Modification Time

The Modification Time attribute specifies the time that an entry was last modified.

Abbreviation

MT

Syntax (DAP)

Generalized-Time

Example (DAP)
MT=19970102123700Z

Number of Subordinates

The Number of Subordinates attribute specifies the number of immediate subordinates of an entry. This is a virtual attribute. It must not be used in search filters. If it is used in a search filter, an Unwilling to Perform error will be returned.

Abbreviation

NOS

LDAP Name(s)

numSubordinates

Syntax (DAP)

Integer

Example (DAP)
NOS=212
Example (LDAP)
numSubordinates=212

Number of All Subordinates

The Number of All Subordinates attribute specifies the number of all subordinates of an entry. This is a virtual attribute. It must not be used in search filters. If it is used in a search filter, an Unwilling to Perform error will be returned.

Abbreviation

NOAS

LDAP Name(s)

numAllSubordinates

Syntax (DAP)

Integer

Example (DAP)
NOS=21234
Example (LDAP)
numAllSubordinates=21234

Subtree Specification

The Subtree Specification attribute specifies subtrees. It is a mandatory attribute of a subentry. (See Subtree-Specification syntax for details.)

This attribute is not supported for LDAP protocol.

Abbreviation

SS

Syntax (DAP)

Subtree-Specification

Example (DAP)
SS={DEF=TRUE}
SS={BAS={/OU=Research/OU=Metallurgy Department}}
SS={BAS={/OU=Research/OU=Metallurgy Department},SF={ITEM=ORP}}
SS={SF={ITEM=2.5.6.7}}

Attributes for Schema Administration

The following directory operational attributes are used to control aspects of DirX Directory schema administration.

Governing Structure Rule

The Governing Structure Rule attribute specifies the governing structure rule of an entry.

Abbreviation

GSR

Syntax (DAP)

Integer

Example (DAP)
GSR=1

Structural Object Class

The Structural Object Class attribute specifies the structural object class of an entry. This is a virtual attribute. It must not be used in search filters. If it is used in a search filter, an Unwilling to Perform error will be returned.

Abbreviation

SOC

Syntax (DAP)

Object Identifier

Example (DAP)
SOC=ORP

Attributes for Database Configuration

The following directory operational attributes are used for controlling DirX Directory database configuration.

Attribute Index

The Attribute Index attribute is a proprietary DirX Directory attribute that provides information about the actual index configuration of an attribute type. It is an attribute of the database configuration subentry CN=DB-Configuration-Subentry and is used only for display purposes.

Abbreviation

ATIDX

Syntax (DAP)

Directory-String {32768}

Example (DAP)
ATIDX= ( 2.5.4.3 NAME cn INDEX NO-PRESENT INITIAL FINAL NO-CONTAINS NO-UNIQUE )

Attribute Outsourcing

The Attribute Outsourcing attribute is a proprietary DirX Directory attribute that is used to configure outsourced attributes. It is an attribute of the database configuration subentry CN=DB-Configuration-Subentry. This attribute should not be changed directly via modify operations. Instead use the dirxadm attr operations. See the attr reference page in the DirX Directory Administration Reference for details.

Abbreviation

ATOUT

Syntax (DAP)

Directory-String {32768}

Example (DAP)
ATOUT= (2.5.4.39 NAME certificateRevocationList OUTSOURCE )

Password Policy Attributes

In order to support the password policy procedures specified by the relevant password policy subentry, each user entry contains a set of operational attributes that provides information about the current status of the user’s password. This set of attributes provides state information to support procedures for

  • password checking

  • password aging

  • account lockout

  • password administration

  • storing login information

Attributes Supporting Password Checking

To support password-checking procedures for reusing old passwords, each user entry contains the Password History attribute. The following section describes this attribute.

Password History Attribute

The Password History attribute is a multi-valued attribute saving the last recently used password values. The password values are stored in an internal format containing the password modification timestamp, the object identifier of the attribute, and the SHA-1 hashed password value.

This attribute is neither written to LDIF files nor replicated via DISP.

This attribute is maintained by the DSA. Read or write access should not be granted even to administrative users.

Abbreviation

PPOHIST

LDAP Name(s)

pwdHistory

Syntax (DAP)

Octet String

Example (DAP)
PPOHIST=20040401123024Z#2.5.4.35#+{SHA}+xser47sdwerrtztz11==
Example (LDAP)
pwdHistory=20040401123024Z#2.5.4.35#+{SHA}+xser47sdwerrtztz11==

Attributes Supporting Password Aging

To support password-aging procedures for password expiration, each user entry contains the Password Changed Time, the Password Expiration Warned, and the Password Grace Use Time attributes. The following sections describe these attributes.

Password Changed Time Attribute

The Password Changed Time attribute is a single-valued attribute that stores the timestamp at which the entry’s password was changed.

This attribute is written to LDIF files and replicated via DISP.

It is maintained by the DSA during the modify operation. Read or write access should not be granted even to administrative users.

Abbreviation

PPOCHTI

LDAP Name(s)

pwdChangedTime

Syntax (DAP)

Generalized-Time

Syntax (LDAP)

Generalized-Time

Example (DAP)
PPOCHTI=20020101123000Z
Example (LDAP)
pwdChangedTime=20020101123000Z
Password Expiration Warned

The Password Expiration Warned attribute is a single-valued attribute that saves the timestamp at which the password expiration warning was initially sent. The password expires Password Expire Warning seconds after the first warning has been sent. The Password Expire Warning attribute is an attribute of the relevant Password Policy subentry.

It is maintained by the DSA during the bind operation, by default on the local DSA only. Therefore, in a shadowing scenario, a user’s entry may have different values for this password policy-related operational attribute on different DSAs.

Setting the environment variable DIRX_GLOBAL_PPO_STATES to 1 directs the DSA to distribute and replicate changes to the Password Expiration Warned operational attribute to all DSAs in a shadowing scenario, creating a globally consistent password policy state for the user.

Read or write access should not be granted even to administrative users.

Abbreviation

PPOEXWA

LDAP Name(s)

pwdExpirationWarned

Syntax (DAP)

Generalized-Time

Syntax (LDAP)

Generalized-Time

Example (DAP)
PPOEXWA=20020101123000Z
Example (LDAP)
pwdExpirationWarned=20020101123000Z
Password Grace Use Time

The Password Grace Use Time attribute is a multi-valued attribute saving the timestamps of grace-logins, which are logins that are granted even though an expired password has been used.

It is maintained by the DSA during the bind operation, by default on the local DSA only. Therefore, in a shadowing scenario, a user’s entry may have different values for this password policy-related operational attribute on different DSAs.

Setting the environment variable DIRX_GLOBAL_PPO_STATES to 1 directs the DSA to distribute and replicate changes to the Password Grace Use Time operational attribute to all DSAs of a shadowing scenario, creating a globally consistent password policy state for the user.

Read or write access should not be granted even to administrative users.

The Password Grace Login Limit attribute of the relevant Password Policy subentry specifies the maximum number of times an expired password can be used to authenticate.

Abbreviation

PPOGRUT

LDAP Name(s)

pwdGraceUseTime

Syntax (DAP)

Generalized-Time

Syntax (LDAP)

Generalized-Time

Example (DAP)
PPOGRUT=20020101123000Z
Example (LDAP)
{pwdGraceUseTime=20020101123000Z;20020102123000Z;20020103123000Z}

Attributes Supporting Account Lockout

To support password account lockout procedures, each user entry contains the Password Account Locked Time and the Password Failure Time attributes. The following sections describe these attributes.

Password Account Locked Time Attribute

The Password Account Locked Time attribute is a single-valued attribute saving the timestamp the account was locked that is the password can no longer be used to authenticate.

The DSA locks an account during the bind operation if the lock conditions are met (specified in the attributes Password Lockout, Password Maximum Failure and Password Failure Counter Interval of the relevant Password Policy subentry). By default, the Account Locked Time is set on the local DSA only. Therefore, in a shadowing scenario, a user’s entry may have different values for this password policy-related operational attribute on different DSAs.

Setting the environment variable DIRX_GLOBAL_PPO_STATES to 1 directs the DSA to distribute and replicate changes to Password Account Locked Time to all DSAs in a shadowing scenario, creating a globally consistent account lock state for the user.

Usually the account is unlocked when performing a successful bind operation and at least Password Lockout Duration seconds has elapsed after the Password Account Locked Time. The Password Lockout Duration is an attribute of the relevant Password Policy subentry.

A value of 19700101000000Z (in GMT format) indicates that the account has been locked permanently and only an administrator can unlock the account by deleting this attribute; for example, with a dirxcp modify entry operation.

The administrator can lock an account by adding this attribute to a user’s entry.

If the administrator has locked or unlocked an account on the master DSA of the user’s entry, the value of this attribute is replicated; that is, the account is locked or unlocked on all DSAs participating in the directory system. If the account has been locked on a master or shadow entry while performing a bind or compare operation, the value of this attribute is not replicated; that is, the account is locked only on a single DSA.

Administrative users should be granted read and write permissions.

Abbreviation

PPOALOT

LDAP Name(s)

pwdAccountLockedTime

Syntax (DAP)

Generalized-Time

Syntax (LDAP)

Generalized-Time

Example (DAP)
PPOALOT=20020101123000Z
Example (LDAP)
pwdAccountLockedTime=20020101123000Z
Password Failure Time

The Password Failure Time attribute is a multi-valued attribute saving the timestamps of consecutive authentication failures.

It is maintained by the DSA during the bind operation, by default on the local DSA only. Therefore, in a shadowing scenario, a user’s entry may have different values for this password policy- related operational attribute on different DSAs.

Setting the environment variable DIRX_GLOBAL_PPO_STATES to 1 directs the DSA to distribute and replicate changes to Password Failure Time to all DSAs in a shadowing scenario, creating a globally consistent password policy state for the user.

Read or write access should not be granted even to administrative users.

If the Password Lockout policy is enabled (the value of the Password Lockout attribute of the relevant Password Policy subentry is TRUE), the user’s account is locked after Password Maximum Failure consecutive failed bind attempts have occurred within the period of time specified in Password Failure Counter Interval. The account is locked for Password Lockout Duration seconds. The Password Maximum Failure, Password Lockout and the Password Failure Counter Interval attribute are attributes of the relevant Password Policy subentry.

As long as an account is not locked:

  • All Password Failure Time values are deleted when a successful bind occurs.

  • All Password Failure Time values that are older than Password Failure Counter Interval are deleted when an unsuccessful bind occurs.

Abbreviation

PPOFATI

LDAP Name(s)

pwdFailureTime

Syntax (DAP)

Generalized-Time

Syntax (LDAP)

Generalized-Time

Example (DAP)
{PPOFATI=20020101123000Z;20020101124000Z}
Example (LDAP)
{pwdFailureTime=20020101123000Z;20020101124000Z}

Attributes Supporting Password Administration

To support password administration procedures each user entry contains the Password Reset attribute. The following sections describe this attribute.

Password Reset Attribute

The Password Reset attribute is a single-valued attribute specifying whether (value TRUE) or not (value FALSE) a user must change his password after he has performed a successful bind operation.

An administrator usually forces a user to change his password by modifying or adding this attribute with the value TRUE together with resetting the user’s password; for example, because the user has forgotten his password.

The user may use the re-set password to authenticate during the bind operation. However, all operations except a modify password operation are prohibited. The DSA rejects these operations with the error code Unwilling to perform and the error message Password Modification is the only operation allowed due to Password Policy. Perform the following dirxcp operation to modify the password:

obj modify [distinguished_name] [-bindid bid]
    –replaceattr {userPassword=new_user_password}

For example:

obj modify {cn=mueller peter,ou=board,o=my-company} \
    -replaceattr {userPassword=xWersT}

The Password Safe Modify (PPSAMO, pwdSafeModify) attribute must also be FALSE. It is not possible to use another kind of modify operation to change the user password.

Abbreviation

PPORSET

LDAP Name(s)

pwdReset

Syntax (DAP)

Boolean

Syntax (LDAP)

Boolean

Example (DAP)
PPORSET=TRUE
Example (LDAP)
pwdReset=TRUE

Attributes Supporting Storing of Login Information

To support the storing of login information, each user entry contains the Password Number of Failed Logins and the Password Last Login Time operational attributes. The following sections describe these attributes.

Password Number of Failed Logins Attribute

The Password Number of Failed Logins attribute is a single-valued attribute recording the number of unsuccessful bind operations. The value of this attribute is incremented when a bind operation fails due to an Invalid Credentials error if the password policy Password Store Login Info (pwdStoreloginInfo) attribute has a value of 1 or 3.

Disabling this feature by setting the Password Store Login Info attribute in the relevant password policy subentry to a value of 0 or 2 does not delete or modify the counter.

The purpose of this attribute is only informational; it is not evaluated by any password policy procedure. The scope of this operational attribute is local; that is, the value of the Password Number of Failed Logins attribute in a replicated environment represents the number of failed logins at the local DSA. This attribute is independent from the setting of the environment variable DIRX_GLOBAL_PPO_STATES.

Administrative users should be granted read permissions.

Abbreviation

PPONOFL

LDAP Name(s)

pwdNumberOfFailedLogins

Syntax (DAP)

Integer

Syntax (LDAP)

Integer

Example (DAP)
PPONOFL=20
Example (LDAP)
pwdNumberOfFailedLogins=20
Password Last Login Time Attribute

The Password Last Login Time attribute is a single-valued attribute recording the time of the most recent successful bind operation. The value of this attribute is set as a result of a successful bind operation if the password policy Password Store Login Info (pwdStoreloginInfo) attribute has a value of 2 or 3.

Disabling the feature by setting the Password Store Login Info attribute in the relevant password policy subentry to a value of 0 or 1 does not delete or modify the value of this operational attribute.

The purpose of this attribute is only informational; it is not evaluated by any password policy procedure. The scope of this operational attribute is local; that is, the value of the Password Last Login Time attribute in a replicated environment represents the time of the most recent successful bind to the local DSA. This attribute is independent from the setting of the environment variable DIRX_GLOBAL_PPO_STATES.

Administrative users should be granted read permissions.

Abbreviation

PPOLLOT

LDAP Name(s)

pwdLastLoginTime

Syntax (DAP)

Generalized-Time

Syntax (LDAP)

Generalized-Time

Example (DAP)
PPOLLOT=20130401123000Z
Example (LDAP)
pwdLastLoginTime=20130401123000Z

Attributes for Synchronous Shadowing

The following operational attributes are used by a DSA when it is part of a synchronous shadowing configuration. For more information about synchronous shadowing, see the dirxadm sob create operation in the DirX Directory Administration Reference and the chapter “Creating a Synchronous Shadow DSA” in the DirX Directory Administration Guide.

DirX Directory Backup Type

The DirX Directory Backup Type attribute is generated or modified by the supplier DSA when a total update by media is configured and a database backup is started. The attribute value contains the name of the backup type which was initiated. The administrator can choose between two database backup types:

  • Dirxbackup, which requires binary compatibility between the supplier DSA and the consumer DSA.

  • ldif_dump, which dumps the database in LDIF format with dirxadm and does not require binary compatibility between the supplier DSA and the consumer DSA.

This attribute is part of the backup signature. See “Creating a Synchronous Shadow DSA” -> “Performing a Total Update by Media” in the DirX Directory Administration Guide for more information on this topic.

Abbreviation

DRXBTYPE

Name (LDAP)

dirxBackupType

Syntax

Directory String

Example (DAP)
DRXBTYPE=dirxbackup
Example (LDAP)
dirxBackupType=ldif_dump

DirX Directory Backup Time

The DirX Directory Backup Time attribute is generated or modified by the supplier DSA when a total update by media is configured and a backup is started. It contains the time stamp of the start of the backup.

This attribute is part of the backup signature. See “Creating a Synchronous Shadow DSA” -> “Performing total update by media” in the DirX Directory Administration Guide for more information on this topic.

Abbreviation

DRXBTIME

Name (LDAP)

dirxBackupTime

Syntax

Generalized-Time

Example (DAP)
DRXBTIME=20170328102028.374Z
Example (LDAP)
dirxBackupTime=20170328102028.374Z

DirX Directory Backup MSN

The DirX Directory Backup MSN attribute is generated respectively modified by the supplier DSA when a total update by media is configured and a backup is started and contains the value of attribute DirX Directory Recent MSN at the time of the start of the backup.

This attribute is part of the backup signature. See “Creating a Synchronous Shadow DSA” -> “Performing total update by media” in the DirX Directory Administration Guide for more information on this topic.

Abbreviation

DRXBMSN

Name (LDAP)

dirxBackupMsn

Syntax

Numeric-String

Example (DAP)
DRXBMSN=28560
Example (LDAP)
dirxBackupMsn=28650

DirX Directory Backup DSAName

The DirX Directory Backup DSAName attribute is generated or modified by the supplier DSA when a total update by media is configured and a backup is started. It contains the name of the supplier DSA as specified in the environment variable DIRX_DSA_NAME.

This attribute is part of the backup signature. See “Creating a Synchronous Shadow DSA” -> “Performing total update by media” in the DirX Directory Administration Guide for more information on this topic.

Abbreviation

DRXBDSAN

Name (LDAP)

dirxBackupDsaName

Syntax

Directory-String

Example (DAP)
DRXDSAN=cn=DirX-DSA-myhost
Example (LDAP)
dirxBackupDsaName=cn=DirX-DSA-myhost

DirX Directory Entry MSN

The DirX Directory Entry MSN attribute specifies the modification sequence number (MSN) of the last update operation of the DSE. It is an attribute of the DSE. The value of this attribute is equal to the value of the DirX Directory Recent MSN attribute at the time of the update operation.

Abbreviation

EMSN

Name (LDAP)

dirxEntryMSN

Syntax (LDAP)

Numeric String

Example (LDAP)
EMSN=28560

DirX Directory In Sync

The DirX Directory In Sync (CINS) attribute shows the status of data synchronicity in a synchronous shadowing configuration. It is an attribute of the subentry /CN=DirXDBVersionSubentry. On the master DSA, the value of this attribute is always TRUE. On a consumer DSA, the attribute can have a value of FALSE if the shadowing agreement has been disabled, a total update is running, or an error has occurred. In this case, you can use the dirxadm sob show command with the
–supplier option on the supplier DSA to display more information about the status of the shadowing agreement. See the dirxadm section in the DirX Directory Administration Reference for details on the sob show command.

Abbreviation

CINS

Name (LDAP)

dirxInSync

Syntax (LDAP)

Boolean

Example (LDAP)
CINS=FALSE

DirX Directory Recent DN

The DirX Directory Recent DN attribute shows the distinguished name (DN) of the last update operation. It is an attribute of the subentry CN=DirXDBVersionSubentry.

Abbreviation

RECDN

Name (LDAP)

dirxRecentDN

Syntax (LDAP)

Distinguished Name (LDAP style)

Example (LDAP)
RECDN=/O=My-Company/OU=Sales/CN=Abele

DirX Directory Recent MSN

The DirX Directory Recent MSN (RSMN) attribute specifies a modification sequence number (MSN) that uniquely identifies the version of a DSA database. It is an attribute of the subentry /CN=DirXDBVersionSubentry. The master DSA increments the DirX Directory Recent MSN attribute each time it performs an update operation and stores the value in the local subentry. At each incremental refresh, the master DSA propagates the value of the DirX Directory Recent MSN attribute to all synchronous shadow consumer DSAs.

Abbreviation

RMSN

Name (LDAP)

dirxRecentMSN

Syntax (LDAP)

Numeric string

Example (LDAP)
RMSN=28560

DirX Directory Recent MSN Time Stamp

The DirX Directory Recent MSN Time Stamp attribute holds the last modification time stamp of the last update operation. It is an attribute of the subentry /CN=DirXDBVersionSubentry.

Abbreviation

RMSNTS

Name (LDAP)

dirxRecentMSNTimeStamp

Syntax (LDAP)

Numeric String

Example (LDAP)
RMSN=28560

DirX Directory Recent Operation

The DirX Directory Recent Operation attribute shows the type of request of the last update operation. It is an attribute of the subentry /CN=DirXDBVersionSubentry.

Abbreviation

RECOP

Name (LDAP)

dirxRecentOperation

Syntax (LDAP)

Directory String {32768}

Example (LDAP)
RECOP=modify

Attributes for Nested and Dynamic Groups

The following operational attributes can be used by the administrator for nested and dynamic group management.

DirX Directory Member

The DirX Directory Member attribute can be requested in search operations. It is used to show all members of a groupOfNames object and of a nested group object (structural object class groupOfNames plus auxiliary class dirxImportGroup), including all the members that come from the imported groups. It is also used to show all members from a dynamic group object (structural object class dirxGroupOfUrls). The attribute can also be specified in a search filter and is used for matching in nested groups and dynamic groups.

Abbreviation

DRXMEM

LDAP Name(s)

dirxMember

Syntax (DAP)

Distinguished Name

Syntax (LDAP)

Distinguished Name (LDAP style)

Example (DAP)
DRXMEM={/O=My-Company/CN=Admin}
Example (LDAP)
dirxMember= cn=Admin ,o=My-Company

DirX Directory Member Of

The DirX Directory Member Of attribute can be requested in search operations. It shows the DNs of groupOfNames entries in which the resulting entry is a direct member of the group or an indirect member through its inclusion in a nested group or a member of a dynamic group. The attribute can also be specified in a search filter and returns the DNs of the nested and dynamic groups of which the entry is a member.

Abbreviation

DRXMEMOF

LDAP Name(s)

dirxMemberOf

Syntax (DAP)

Distinguished Name

Syntax (LDAP)

Distinguished Name (LDAP style)

Example (DAP)
DRXMEMOF={/O=My-Company/CN=AdminGroup}
Example (LDAP)
dirxMemberOf= cn=AdminGroup,o=My-Company

DirX Directory Member Url

The DirX Directory MemberUrl attribute specifies an LDAP search expression. It is used to define a dynamic group.

Abbreviation

DRXMURL

LDAP Name(s)

dirxMemberUrl

Syntax (DAP)

Directory-String, format DirX Directory-Member-Url

Syntax (LDAP)

Directory-String, format DirX Directory-Member-Url

Example (DAP)
DRXMURL=ldap:///o=My-Company??sub?(&(l=sunnyvale)(title=senior*))
Example (LDAP)
dirxMemberUrl=ldap:///o=My-Company??sub?(&(l=sunnyvale)(title=senior*))

DirX Directory Imported Groups

The DirX Directory Imported Groups attribute can be requested in search operations. It shows the DNs of all imported groups of a nested group entry.

Abbreviation

IMPGROUP

LDAP Name(s)

dirxImportedGroups

Syntax (DAP)

Directory String

Syntax (LDAP)

Directory String (LDAP Style)

Example (DAP)
Imported-Groups : 1- cn=Employees1,o=My-Company
                : 2-- cn=SalesGroup,ou=Sales,o=My-Company
                : 2-- cn=DevelopmentGroup,ou=Development,o=My-Company
Example (LDAP)
dirxImportedGroups : 1- cn=Employees1,o=My-Company
                   : 2-- cn=SalesGroup,ou=Sales,o=My-Company
                   : 2-- cn=DevelopmentGroup,ou=Development,o=My-Company

DirX Directory Export To

The DirX Directory Export To attribute is automatically maintained by the DSA in an imported group and refers to the nested group entry that imports the group.

Abbreviation

EXPTO

LDAP Name(s)

dirxExportTo

Syntax (DAP)

Distinguished Name

Syntax (LDAP)

Distinguished Name (LDAP style)

Example (DAP)
EXPTO={/O=My-Company/CN=UserGroups}
Example (LDAP)
dirxExportTo=cn=UserGroups,o=My-Company

X.500 Distributed Operational Attributes

Operational attributes are attributes representing operational and/or administrative information.Distributed operational attributes are used by several DSAs as part of distributed operations; for example, knowledge reference attributes.

Knowledge Reference Attributes

This section describes distributed operational attributes related to knowledge references.

Non Specific Knowledge

The Non Specific Knowledge attribute specifies access points for the master DSAs of one or more naming contexts and/or shadow DSAs for the same or more naming contexts.The context prefixes of the naming context(s) is (are) not known.The immediate superior is known and the access point information is associated with its name.(See Master-And_Shadow-Access-Points syntax for details.) The attribute is multi-valued and managed by the DSA itself.It is accessible only by using dirxadm.

The attribute is held in a DSE of type NSSR and represents non-specific subordinate references.

The DSA may use the attribute information when constructing a continuation reference returned in a DAP or DSP referral, when performing chaining, and when constructing shadowed DSA specific entries of type NSSR provided in the DISP.

Non-specific subordinate references are not supported by the DirX Directory DSAs.

Abbreviation

NSK

Syntax (DAP)

Master-And-Shadow-Access-Point

Example (DAP)
NSK={MOS={MSAP={AE={/O=my-company/OU=asw/CN=dsa/CN=sni-dsa1},
               PSAP={TS=Server19,
                     NA='TCP/IP!internet=123.45.67.89+port=102'}},
         CAT=MASTER};
        {MSAP={AE={/O=my-company/OU=asw/CN=dsa/CN=sni-dsa2},
               PSAP={TS=Server19,
                     NA='TCP/IP!internet=139.88.99.1+port=102'}},
         CAT=SHADOW}
   }

Specific Knowledge

The Specific Knowledge attribute specifies access points for the master DSAs of a naming context and/or shadow DSAs for that naming context. The context prefix of the naming context is known and associated with the access point information. (See Master-And_Shadow-Access-Points syntax for details.) The attribute is single-valued. It is accessible only by using dirxadm.

The attribute is held in a DSE of type SUBR (representing a specific subordinate reference), IMM_SUPR (representing a immediate superior reference), or XR (representing a cross reference).

The DSA may use the attribute information when constructing a continuation reference returned in a DAP or DSP referral, when performing chaining, and when constructing shadowed DSA specific entries of type SUBR, IMM_SUPR, or XR provided in the DISP.

To return LDAP referrals to LDAP clients, the AE component can contain the value of the special naming attribute LDAP URL (abbreviation LURL and syntax Directory-String {32768}). The referral to another LDAP server is returned as LDAP URL. In this case, the presentation address (PSAP) is ignored.

Abbreviation

SK

Syntax (DAP)

Master-And-Shadow-Access-Point

Example (DAP)
SK={MOS={MSAP={AE={/O=my-company/OU=asw/CN=dsa/CN=sni-dsa1},
               PSAP={TS=Server19,
                     NA='TCP/IP!internet=123.45.67.89+port=102'}},
         CAT=MASTER};
        {MSAP={AE={/O=my-company/OU=asw/CN=dsa/CN=sni-dsa2},
               PSAP={TS=Server19,
                     NA='TCP/IP!internet=139.88.99.1+port=102'}},
         CAT=SHADOW}
   }
SK={MOS={MSAP={AE={/LURL=ldap:\/\/ldapservice.dec.de:389},
               PSAP={TS=X,NA='TCP/IP!internet=127.0.0.1+port=1'}}}}

DirX Directory DSA Operational Attributes

Operational attributes are attributes representing operational and/or administrative information.DSA operational attributes are used only locally to the DSA.

Authentication

This section describes DirX Directory DSA operational attributes related to authentication.

DirX Directory-Admininistrators

The DirX Directory-Administrators attribute specifies the distinguished names of the users that the DSA will recognize as an authorized user of dirxadm.It is an attribute of the root DSE.(See the dse bind operation of the dse (dirxadm) section in the DirX Directory Administration Reference for details.)

Because this attribute is only accessible by using dirxadm, no access using LDAP or DAP protocol is possible.

Abbreviation

DADM

Syntax

Distinguished-Name

Example (dirxadm)
DADM={/O=My-Company/CN=Administrator}; \
     {/O=NSA/CN=NSA-Administrator}

Knowledge Attributes

This section describes DirX Directory DSA operational attributes related to replication configurations.

Consumer Knowledge

The Consumer Knowledge attribute specifies information about shadow consumers for a particular naming context held by a shadow supplier DSA. It is a multi-valued attribute associated with the context prefix of a naming context. The information identifies the access points of the consumer DSAs and also the identifiers for the corresponding shadowing agreements. (See Consumer-Information syntax for details.)

All shadow supplier DSAs contain a value of this attribute for each shadowing agreement in which they act as a supplier.

The AGR (agreement id) component of the attribute is required in all DISP operations.

Abbreviation

CK

Syntax (DAP)

Consumer-Information

Example (DAP)
CK={CON={AE={/O=my-company/OU=asw/CN=dsa/CN=sni-dsa},
        PSAP={TS=Server19,NA='TCP/IP!internet=123.45.67.89+port=102'},
                AGR={ID=10,VERS=20}
      }

Superior Knowledge

The Superior Knowledge attribute is used by non-first level DSAs to specify its superior reference. It is a single-valued attribute of the root-DSE and accessible only by using dirxadm. All non-first level DSAs shall hold this attribute. The attribute is managed by the DSA itself. (See Access-Point syntax for details.)

The DSA may use the attribute information when constructing a continuation reference returned in a DAP or DSP referral or when performing chaining.

Abbreviation

SPK

Syntax

Access-Point

Example (dirxadm)
SPK={AE={/O=my-company/OU=asw/CN=dsa/CN=sni-dsa},
     PSAP={TS=Server19,NA='TCP/IP!internet=123.45.67.89+port=102'}}

Supplier Knowledge

The Supplier Knowledge attribute specifies information about the shadow supplier DSA in a shadow agreement for a particular naming context held by a shadow consumer DSA. It is a multi-valued attribute associated with the context prefix of a shadowed naming context. The attribute consists of the ID and version number that identify the shadow agreement between the supplier and the consumer, the access point for the supplier of the copy of the naming context, and an indication of whether this supplier holds the master copy of the naming context. In addition, the information can optionally include the access point for the master if the supplier does not hold the master copy. (See Supplier-Information syntax for details.)

All shadow consumer DSAs hold a value of this attribute for each shadowing agreement in which they act as a consumer.

The DSA may use the attribute information when constructing a continuation reference returned in a DAP or DSP referral.

The AGR (agreement id) component of the attribute is required in all DISP operations.

Abbreviation

SUK

Syntax (DAP)

Supplier-Information

Example (DAP)
SUK={SUP={AE={/O=my-company/OU=asw/CN=dsa/CN=sni-dsa1},
          PSAP={TS=Server19,
                NA='TCP/IP!internet=123.45.67.89+port=102'}},
     AGR={ID=1,
          VERS=1},
     ISM=TRUE,
     NSM={AE={/O=my-company/OU=asw/CN=dsa/CN=sni-dsa2},
          PSAP={TS=Server19,
                NA='TCP/IP!internet=139.88.99.1+port=102'}};
         {AE={/O=my-company/OU=asw/CN=dsa/CN=sni-dsa3},
          PSAP={TS=Server19,
                NA='TCP/IP!internet=139.88.99.2+port=102'}}
    }

Secondary Shadows

The Secondary Shadows attribute specifies the suppliers of secondary shadows and their consumers. It is a multi-valued attribute associated with the context prefix of a shadowed naming context. The attribute consists of the access point of a shadow supplier and a list of its direct consumers. (See Supplier-And-Consumers syntax for details.)

Abbreviation

SES

Syntax (DAP)

Supplier-And-Consumers

Example (DAP)
SES={SUP={AE={/O=my-company/OU=asw/CN=dsa/CN=sni-dsa1},
          PSAP={TS=Server19,
                NA='TCP/IP!internet=123.45.67.89+port=102'}}},
         CON={AE={/O=my-company/OU=asw/CN=dsa/CN=sni-dsa2},
              PSAP={TS=Server19,
                    NA='TCP/IP!internet=139.88.99.2+port=102'}}};
             {AE={/O=my-company/OU=asw/CN=dsa/CN=sni-dsa3},
              PSAP={TS=Server19,
                    NA='TCP/IP!internet=139.88.99.3+port=102'}}}
      }

Policy Attributes

This section describes DirX Directory DSA operational attributes for establishing policies.

Audit Policy

The Audit Policy attribute specifies the auditing of DirX Directory transactions. It is an attribute of the root-DSE and is managed by the audit (dirxadm) command. (See the audit operation in the DirX Directory Administration Reference for details.)

Because this attribute is only accessible by using dirxadm, no access using LDAP and DAP protocols is possible.

Abbreviation

AUDP

Syntax

Audit-Info

Example (dirxadm)

See the audit (dirxadm) command in the DirX Directory Administration Reference.

DSA Policy

The DSA Policy attribute specifies information that defines bilateral agreements between the local DSA and other remote DSAs known to it. It is an attribute of the root DSE and is managed by using dirxadm. It supplies information about the authentication procedures for DSP and DISP operations. The attribute is multi-valued. Each value is assigned to a specific DSA or / and contains one or more policy options. (See DSA-Policies syntax for details.)

Because this attribute is only accessible by using dirxadm, no access using LDAP and DAP protocols is possible.

Abbreviation

DSAP

Syntax

DSA-Policies

Example (dirxadm)

Error! Cannot open file.

Local Scope Policy

The Local Scope Policy attribute specifies the interpretation of the local-scope service control. It is a single-valued attribute of the root-DSE and is managed by using dirxadm. (See Local Scope Policy syntax for details.)

Because this attribute is only accessible by using dirxadm no access using LDAP and DAP protocols is possible.

Valid values for the Local Scope Policy attribute are:

  • DSA - The local scope is the scope of the DSA. The DSA responds on the basis of information that it holds itself, and does not chain or create referrals or continuation references

  • LOCAL-DOMAIN - The local scope is the scope of the local domain of the DSA. The DSA chains or creates referrals or continuation references only to the group of DSAs in the local domain. A DSA belongs to the same local domain as the local DSA if a DSA policy exists for this DSA with the value OPT=LOCAL-DOMAIN

  • DMD - The local scope is the scope of the Directory Management Domain (DMD) of the DSA. The DSA will chain or create referrals or continuation references only within the group of DSAs configured within the DMD. A DSA belongs to the same DMD as the local DSA if a DSA policy exists for this DSA with the value OPT=DMD

The default value is DSA.

Abbreviation

LSP

Syntax

Local Scope Policy

Example (dirxadm)
LSP=DMD
LSP=DSA
LSP=LOCAL-DOMAIN

Paging Policy

The Paging Policy attribute specifies the configuration parameters for paged results of search requests. It is an attribute of the root DSE and is managed by using dirxadm. The attribute is single-valued. It is valid for all search operations. (See Paging-Policies syntax for details.)

Because this attribute is only accessible by using dirxadm, no access using LDAP and DAP protocols is possible.

When you want to use simple paging with your client, the administrator should set this global policy.

When one of the specified limits has been exceeded, the DSA returns the error Unwilling To Perform.

Abbreviation

PAGP

Syntax

Paging-Policies

Example (dirxadm)

In the following example, resume information kept for paged results is released when no subsequent request has been received for a period of 180 seconds.

Search operations are rejected with the error "Unwilling To Perform" when
- a search operation containing a paged result request requires to allocate resume information while resume information is already kept for 15 other search operations
- the resume information exceeds the maximum amount of 2 MB

PAGP={PTO=180,
      MAXNUM=15,
      MAXMEM=2048}

Partial Entry Shadowing Policy

The Partial Entry Shadowing Policy attribute specifies the behavior of the DSA when performing DISP protocol on supplier / initiator side; that is, when generating update information messages for shadowing or when writing LDIF files.

If this attribute is not specified or set to FALSE, the total update message segments contain only complete entries. If there is a huge entry to be shadowed or to be written to an LDIF file, for example, an entry that contains a group with huge number of members, it may happen that the system cannot provide enough memory to prepare the update segment and shadowing or writing an LDIF file fails.

If this attribute is set to TRUE, the DSA is able to process partial entries and generate segmented messages or LDIF file records that contain only a part of an entry.

An administrator may set this attribute to TRUE when all the following conditions are met:

  • The DSA acts as a shadow supplier or writes LDIF content files.

  • Total update is performed by sending protocol messages and not done by media.

  • The DSA contains huge entries that cannot be loaded from the database to the memory as a whole; for example, entries that contain groups with a huge number of members.

  • An administrator should set the PESHA attribute to TRUE only when failing TOTAL updates occur because of memory problems.

DSAs providing this policy cannot interoperate with DSAs older than DirX Directory EE V2.0C00 or DirX Directory V7.0B00 or with other vendor implementations. When running your DSA in such interoperation scenarios, you must set this attribute to FALSE.

This attribute is an attribute of the root-DSE and is managed by using dirxadm. The attribute is single-valued.

Because this attribute is only accessible by using dirxadm, no access using LDAP and DAP protocols is possible.

Abbreviation

PESHA

Syntax

Boolean

Example (dirxadm)
PESHA=TRUE

Search Base Policy

The Search Base Policy attribute specifies the topmost level in the DIT where a search operation can be started. It is an attribute of the root DSE and is managed by using dirxadm.

DAP and DSP search requests for subtrees are rejected with the service error administrativeLimitExceeded if the base object contains fewer RDNs than specified in the Search Base Policy attribute.

Because this attribute is only accessible by using dirxadm, no access using LDAP and DAP protocols is possible.

Abbreviation

SBP

Syntax

Integer

Example (dirxadm)
SBP=2	DSA rejects all search operations started from root and country
 		level

Time Limit Policy

The Time Limit Policy attribute specifies the maximum time limit in seconds for search operations that is accepted by the DSA in user requests. It is an attribute of the root DSE and is managed by using dirxadm.

If the time limit is exceeded, an incomplete result is returned.

Because this attribute is only accessible by using dirxadm, no access using LDAP and DAP protocols is possible.

Abbreviation

TLP

Syntax

Integer

Example (dirxadm)
TLP=25

User Policy

The User Policy attribute specifies policies for DAP users, discriminating between them by name. It is an attribute of the root DSE and is managed by using dirxadm. It supplies information about the user’s required authentication method, whether the users can access the chaining and modify services of the DSA, the maximum number of entries of a retrieval result, and the maximum length of attribute values returned in a retrieval result. The attribute is multi-valued and each value is assigned to a specific user or a group of users. (See User-Policies syntax for details.)

Because this attribute is only accessible by using dirxadm, no access using LDAP and DAP protocols is possible.

Abbreviation

USP

Syntax

User-Policies

Example (dirxadm)
USP={USN={/O=my-company/OU=asw},
     OPT=CHAINING+MODIFY,
     AP={AMB={AM=SIMPLE;SIMPLE-WITH-PWD},
         OPWD=my-pwd,
         CV=300}};
    {USN={/O=my-company/OU=com},
     OPT=CHAINING,
     AP={AMB={AM=SIMPLE},
         OPWD=pwd}}
}

Miscellaneous Attributes

This section describes miscellaneous DirX Directory DSA operational attributes.

Cooperating DSA

The Cooperating DSA attribute specifies information about the administered operational bindings with partner DSAs. It is an attribute of a subentry of the root-DSE and is used only for display purposes. The name of the subentry is /CN=Cooperating-DSAS-Subentry. The attribute value should not be modified by the user. It can be accessed by dirxadm only. Use the dirxadm lob and sob show operation to display the value. The dirxadm lob and sob functions must be used to create, modify, or delete the information displayed by this attribute. (See Cooperating-DSA syntax for details.)

The master and supplier DSA of the cooperating DSAs subentry is the DSA that is displayed in the Supplier Knowledge (SUK) attribute of the agreement propagating the cooperating DSA subentry to all participating DSAs. This agreement is created and administrated automatically by the DSA when the administrator creates a shadowing agreement. The supplier of the cooperating DSA is modified by the DSA when the administratior performs a sob switch operation. The cooperating DSA subentry must be the same on all DSAs participating in a network.

Because this attribute is only accessible by using dirxadm, no access using LDAP and DAP protocols is possible.

Abbreviation

CDSA

Syntax

Cooperating-DSA

Example (dirxadm)

  1. In the following example the CDSA (Cooperating-DSA) attribute displays the attribute values of two LDIF agreements.

    CDSA={SUPP={AE={/O=My-Company/CN=DSA1},
      PSAP={TS=DSA1,NA=TCP/IP_IDM!internet=123.45.67.89+port=21100}},

LDIF agreement 1:
      SOB={SAI={SS={AREA={CP={/O=My-Company},
                RA={BAS={/}}},ATT={DEF=TRUE}},
                UM={SI={S={PS={WS=1000,UI=1}}}}},
           AGR={ID=14057,VERS=0},
           OBMV={VF=030401064822Z},
           OBS=NONCOOPERATIVE,
           RPOL={SUPP={MAXLOC=1024},
                 LDSUPP={BINO=NONE,MAXROW=200,
                         CS=UTF8,CHANGEO=FALSE}}};

LDIF agreement 2:
          {SAI={SS={AREA={CP={/O=My-Company2},},
                RA={BAS={/}}},ATT={DEF=TRUE}},
                UM={SI={S={PS={WS=1000,UI=1}}}}},
           AGR={ID=16058,VERS=0},
           OBMV={VF=030401064822Z},
           OBS=NONCOOPERATIVE,
           RPOL={LDSUPP={CS=LATIN1,CHANGEO=FALSE}}}}

  2. In the following example the CDSA (Cooperating-DSA) attribute displays the attribute values of two shadowing agreements.

    {CDSA={SUPP={AE={/O=My-Company/CN=DSA1}
      PSAP={TS=DSA1,NA=TCP/IP_IDM!internet=123.45.67.89+port=21100}},

       CONS={AE={/O=My-Company/CN=DSA2},
      PSAP={TS=DSA2,NA=TCP/IP_IDM!internet=123.45.67.88+port=21100}},

agreement 1:
       SOB={SAI={SS={AREA={CP={/O=My-Company},
                 RA={BAS={/}}},ATT={DEF=TRUE}},
                 UM={SI={S={PS={WS=1000,UI=1}}}}},
            AGR={ID=0,VERS=0},
            OBMV={VF=030401065354Z},
            OBS=NONCOOPERATIVE,
            RPOL={INI={ATU=TRUE},
                  SUPP={MAXLOC=100},
                  CONS={MAXLOC=100,REPLS=TRUE}}};

automatically generated agreement to propagate agreement information to consumer DSA:
           {SAI={SS={AREA={CP={/CN=Cooperating-DSAS-Subentry},
                 RA={DEF=TRUE}},ATT={DEF=TRUE}},
                 UM={SI={OC=TRUE}}},
            AGR={ID=1,VERS=0},
            OBMV={VF=030401065354Z},
            OBS=COOPERATIVE};

agreement 2:
           {SAI={SS={AREA={CP={/O=My-Company2},
                 RA={BAS={/}}},ATT={DEF=TRUE}},
                 UM={SI={S={PS={WS=1000,UI=1}}}}},
            AGR={ID=16058,VERS=0},
            OBMV={VF=030401065354Z},
            OBS=NONCOOPERATIVE,
            RPOL={SUPP={US=TOTAL},CONS={US=TOTAL}}}}}

DSE Type

The DSE Type attribute specifies the role that a DSE plays in regard to an entry and its distribution. A DSE can have multiple DSE types. A combination of DSE type values is specified by using the + (plus sign). Every DSE in a DSA has this attribute, which is accessible using dirxadm only. (See DSE Type Syntax for details.)

Because this attribute is only accessible by using dirxadm, no access using LDAP and DAP protocols is possible.

Valid values for the DSE Type attribute are:

  • ROOT - Used exclusively by the DSE that represents the root of the DIT in a particular DSA.

  • GLUE - A DSE that represents a name only. A DSA uses glue DSEs to hold the names of the superiors of the context prefixes and cross references where there is no other knowledge associated with them. You cannot assign any other DSE types to a DSE typed as GLUE.

  • CP - A DSE that represents the context prefix of a naming context.

  • ENTRY - A DSE that represents the entry itself, normally including the user attributes. If the SHADOW bit is not set, the DSE represents the master copy of the entry and holds all the attributes associated with the entry.

  • ALIAS - A DSE that represents an alias entry.

  • SUBR - A DSE that represents a specific subordinate reference and holds a corresponding knowledge attribute.

  • NSSR - A DSE that represents a non-specific subordinate reference, and holds a corresponding knowledge attribute.

  • SUPR - A root DSE that holds a knowledge attribute that represents a specific superior reference. (See ROOT value.)

  • XR - A DSE that represents a cross-reference and holds a corresponding knowledge attribute.

  • ADM_POINT - A DSE that represents an administrative point.

  • SUBENTRY - A DSE that represents a subentry.

  • SHADOW - A DSE that represents shadowed information.

  • IMM_SUPR - A DSE that represents an immediate superior reference and holds a corresponding knowledge attribute.

  • RHOB - A DSE that holds policy information (either administrative point or subentry information), which has been received from a superior DSA as the result of a hierarchical operational binding.

  • SA - An additional characteristic of a subordinate reference DSE (that is, of type SUBR), which is used to indicate that the context prefix pointed to by the reference is an alias and not a normal entry.

The following list gives the most commonly used types and combinations in the absence of shadowing:

  • ROOT+SUPR

  • GLUE (must be used alone)

  • ENTRY+CP+ADM_POINT

  • ALIAS+CP

  • SUBENTRY (used alone)

  • IMM_SUPR (used alone)

Abbreviation

DSET

Syntax

DSE-Type

Example (dirxadm)
DSET=ENTRY+ADM_POINT
DSET=GLUE

Enable Unique Index

The Enable Unique Index attribute enables or disables unique constraint checking of attribute type values. It is an attribute of the root DSE. By default, this feature is disabled and the Enable Unique Index (ENUI) attribute is not present in the root DSE. To enable this feature, create the Enable Unique Index (ENUI) attribute with the value TRUE in the root DSE.

Abbreviation

ENUI

LDAP Name

enableUniqueIndex

Syntax

Boolean

Example (dirxadm)

ENUI=TRUE